Tuesday, 25 September 2007

Terms of Service and Peer to Peer

I've been thinking lately about a hypothetical situation. Consider it a thought balloon.

If we run a peer to peer program, such as BitTorrent, or eDonkey, the RIAA and the MPAA love to root around in our computers and investigate what's there, without warrants or any invitation whatsoever. They look around, see what they can find--in my line of work this is called a fishing expedition--and if they are lucky, find some contraband: a shared movie or a new Britney Spears song (as if anybody wants those anymore). On the back of that contraband, they'll send us a demand for money. If we aren't suitably impressed, they sue us.

I'm not too excited by this. It actually kind of sucks, since most people didn't invite any industry associations to come looking at their machine.

What to do? The answer (maybe?), is Terms of Service. Terms of Service? you ask.

Stick with me here, because it will take a little explanation. You know how most web sites have terms of service? You have to agree all kinds of things. For example, blogger, in section 2 states the following:

You agree that you are responsible for your own use of the Service, for any posts you make and for any consequences thereof. You agree that you will use the Service in compliance with all applicable local, state, national and international laws, rules and regulations, including any laws regarding the transmission of technical data exported from your country of residence and all United States export control laws.

Pretty stern stuff, actually. But that's how they keep the lawyers happy, and that's exactly what I'm proposing here.

Couldn't peer to peer networks take advantage of Terms of Service to control how the computers on the network are accessed?

I'm thinking along the lines of

you may only access this computer in order to get documents for your own personal use. The organization of information on this computer is copywrited and any access for reasons of property control, or determining the sharing of files, is not permitted. In fact, your invitation to access this computer is completely at my discretion, and you are not invited if you will use the information you gather for the purposes of copyright enforcement.

I don't know. It's a bit clumsy, obtuse, and maybe too specific. The wording is almost certainly wrong, but is there wording that isn't? Is the principle sound from a legal point of view? Could each computer on the network, tell the RIAA to buzz off, 'you're not welcome anymore'?

It would be nice to think that we have a right to the privacy of our own computers. Shouldn't the RIAA require probably cause before they can investigate? A little bit like how we can hide our caller id before making a call on the telephone.

So let's say there is a legal wording that works. What happens?

Well, the next time the RIAA, or any other enforcer accessed our computers, that organization would be liable to a civil suit for violation of terms in our Terms of Service. Now that would be radical.

And thinking further, maybe even the DMCA could be brought in, along the lines of the copyleft of the GPL. That could be cool.

Still, there are a few technical hurdles to be overcome.

Imagine the technological approach: Every time a peer to peer client accesses a peer to peer server (the machine with the alleged Britney Spears mp3 on it), that client would have to agree to the Terms of Service, before the server would serve anything.

Now of course, this could be extremely tedious for the user of the client to constantly agree to terms of service while using a peer to peer network. Thousands of packets across hundreds of servers would have to be agreed to during even the most basic execution of a typical eMule transaction. Each time the client accessed a server, ToS's would pop up. That's unworkable, really.

But there is a solution around the problem. It's software, and ToS standardization.

Basically, it requires that all servers on the network in question, use the exact same ToS. Now all the user has to do, is agree to the ToS for all servers that use this ToS. All the servers have to do is verify that the right version of the ToS was agreed by the client, and off they go.

This requires baking the ToS into the p2p protocol. This would force every communication in the protocol to include the following dialog:


client: request directory (or other sensitive info)
server: tos agreed?
client: confirm tos agreed
server: directory listing returned

OK, so it's just a thought. I'm curious what other people think of this idea.

No comments: