[unisog] Chronicle of Higher Ed. article on NetPD
prn at bsu.edu
Fri Nov 9 14:53:57 GMT 2001
>Now on to the question I would like to ask the list. What
>would members of the list consider to be an acceptable digital
>signature for emails being sent out?
>1. A PGP key issued for the role 'Client-Notifications' where
>a key would be created for each client
Not bad, but this might be more complicated than a single key, both at
your end and ours.
>2. A personal PGP key issued to a NetPD Employee
I suspect that this would be worse than either 1 or 3. I would much more
strongly prefer a *company* key for a *role* over a personal key.
>3. A key issued by a company (maybe Verisign) for the role
A key signed by Verisign might be a good idea, but I don't think it
would be absolutely necessary.
>4. Something that I have over looked?
>My personal preference would be #1.
Personally (and I am NOT the DCMA contact or any other sort of legal
contact here, so I am speaking only for myself) I would think a single
key for the company (NetPD) would be acceptable. If the key were signed
by Verisign, that might make it a little simpler to verify, but I
suspect that simply publishing the public key on your web site
(especially if it is accessible in relatively standard browsers) should
be fine. If it ever came down to a legal proceding, there would need to
be testimony on the provenance of the key no matter what. I don't see
any added value in having different keys for signing complaints from
different clients, except as I discuss below.
>Also can anyone recommend ways of getting keys signed? I am not
>currently a PGP user.
I don't think you really need to worry too much about the "web of
trust." That concept is not really the most relevant model for what you
are doing here. Publishing the public key on your web site would
probably be enough to supply adequate evidence (for everyday purposes)
that a specific e-mail notification is from you and not forged. A
Verisign signature would be much more than adequate. As I said, if it
comes down to legal procedings, no signature would *by itself* be
adequate. Testimony would be required in any case, so signatures (beyond
self-signing, of course) should not really be needed for day-to-day
Additional signatures or verification would gain in value *only* if you
had your keys signed with public keys that could readily be verified to
belong to the clients. That is, if Sony were to sign the key you used to
send out complaints about Michael Jackson songs using a key that they
(Sony) published on their web site or otherwise made readily available,
then you could demonstrate that you were, in fact as required by the
DCMA, an authorized agent for Sony. As it is, you have asserted on the
unisog list that your mailings are authorized, but as I understand the
various complaints, your e-mail notifications do not even assert that
you are authorized by Sony, much less demonstrate it. If Sony signed
your key, that would be a prima facie reason to believe that you are
acting as an agent of Sony.
The impressions I get are that your "notices" are not even close to the
"legal notice" specified in the DCMA. I understand that you are located
in the UK so you are not bound by US law, but you are notifying *us* of
violations under US law, so the notifications ought to conform to the
requirements of the law that your clients are hoping to use. They cannot
use the provisions of the DCMA unless their agents (you) follow the
requirements of the DCMA. Nevertheless, I understand that your clients
would probably strongly prefer that they not be forced into the
unprofitable need to bring the alleged violations into an actual court
if they don't have to, and I also get the impression that virtually all
of the unisog participants want to act in good faith and reduce the
number of copyright violations at their sites as much as possible. (We
know that eliminating them completely is next to impossible, but we do
want to do our best.) You can help in that regard by making your own
good-faith attempt to supply the necessary information. A digital
signature from the notifying agent (you) would appear to be one of the
missing requirements, so even if you do it in a minimal way, it would
help. Publish a PGP (or maybe even better a GPG <www.gnupg.org>) key on
your web site and use it to sign your notices.
At least as important is a way for university (or ISP) admins to verify
your findings. As numerous people have pointed out, an IP address is not
sufficient. We need at least a time and date in addition so that we can
make an attempt to identify IP addresses that vary due to DHCP or NAT. A
port or protocol would be handy too. By now, there are so many different
"file-sharing" clients that verifying any of the information is
unreasonably cumbersome. Whatever logs or other information you can
supply would be a big step forward. Saying that IP iii.jjj.kkk.lll is
serving "Foo" by Michael Jackson is not really adequate. Saying that "At
time T on date D, you found IP iii.jjj.kkk.lll serving 'Foo' by Michael
Jackson using Gnutella on port P" is a huge improvement. I'm sure that
others will have more concrete suggestions for what information they
will find most helpful in tracking down the culprit and/or verifying
your information, but my suggestion is to start work now on improving
your notifications. Improving your technology for finding infringing
material is good, but unless the information you develop can be used to
find and stop the infringement, it is ultimately useless to the admins
of the domains hosting the infringers as well as to your clients.
prn at bsu.edu
More information about the unisog