Content-Type: text/html

On Sunday 08 June 2008 14:46:18 Kathy Bergsma wrote:
> This is not a new policy, but it's a new procedure to enforce a
> longstanding copyright policy.  The copyright take-down notifications
> last month were 10 times the normal amount.  The volume increase
> indicates that a more proactive approach is needed.  That's why we
> started the notifications, but only for the most popular p2p clients.  We
> understand that there might be legitimate use and there might be false
> positives.  We'll be glad to make exceptions to stop further
> notifications.

Your former policy was to assume innocence until you got an accusation of 
guilt (a DMCA complaint). Your new policy is to assume guilt until 
innocence is proved. That is most definitely a change in policy.

You _say_ you understand that there may be legitimate use, but your 
procedures do not adequately provide for the existence of legitimate users, 
and in fact seem to assume that the activity is illegal.

For instance, these are being sent as security incident tickets, even though 
there is only the suspicion of an incident. Policy requires that these 
tickets be contained the same day, but finding and talking to a user often 
takes longer (graduate students in particular keep strange hours).  All we 
can do to contain those "incidents" is _assume_ guilt and disconnect the 
network port until we hear from the user of the system, so we may be 
interrupting perfectly legitimate research activity because of policy.

>
> We did not anticipate that anyone would expect these notifications to
> result in fines, expulsion or deportment.  It shouldn't even result in a
> mar on one's record.  Our experience is that a reasonably honest person
> will stop bad behavior with verbal counseling.

I, and several people I've talked to, find this statement to be a bit odd. 
The instructions sent with many of the P2P tickets specifically say that if 
the activity was illegal, then:

"... inform the user's supervisor if staff, or Student Judicial Affairs if a 
student."

That means initiate the disciplinary process for illegal activity. That is a 
firing offense. I know many supervisors would just give a verbal warning on 
the first offense, but others would go by the book and get HR involved. 
Once HR is involved, there is going to be, at the very least, a mar on 
their record, if they aren't fired outright. And last I heard (which was a 
few years ago), referral to SJA also resulted in at least a notation on 
their (unpublished) record.

If you are going to proactively seek out P2P violations, perhaps UF needs a 
published policy on the discipline process for these violations. Does the 
first offense result in only a verbal warning? Or do you get fired? Right 
now, it can go either way, depending on the supervisor.

>
> We will revisit our notifications procedures.  Maybe we should drop
> investigation part of our notification and just ask the IT contact to
> refer the notification directly to the supervisor.  The supervisor can
> simply ask the user and, in most cases, an IT investigation will not be
> needed.  Does this help?

I think it would help to simply say "Investigate and ensure that the 
activity is for legitimate purposes."  For one thing, that maintains the 
presumption of innocence instead of assuming guilt.

Also, I don't think these should be handled through the normal security 
incident ticketing system (or perhaps there should be a category of ticket 
that doesn't demand one-day response), and they certainly shouldn't be 
marked as DMCA complaints when there has been no complaint.

Another problem is that it appears these tickets are being generated 
manually, which can result in long delays between the observed activity and 
the issued ticket, and in some cases, duplicate tickets for the same 
activity. We had one instance in which a duplicate ticket (different ticket 
number) was issued AFTER the activity had been contained, which resulted in 
significant confusion until we finally realized that the new ticket was 
reporting activity that had occurred 18 hours earlier.

- Bob



>
> Kathy
>
> Kisida, Todd wrote:
> > We received our first one today.  It was for legitimate use
> > (downloading a Linux ISO) and in this case it was easy to find the
> > user/computer. All in all *this* one was easy to deal with, but it was
> > special case.  I see many problems with this overall.
> >
> > According to the email, we're supposed to determine if the use of p2p
> > is legitimate or not but we're not supposed to take any action if it's
> > not. If they are downloading illegally and we ask them about it,
> > doesn't that tip the user off and possibly change their behavior?   If
> > so is that a good thing or a bad thing?
> >
> > How I'm supposed to determine if the use is legitimate or not?  Linux
> > ISO's and TV shows are clear, but what about the cases that aren't
> > clear?
> >
> > Say I've got a user sharing a Linux ISO or something for a long period
> > of time.  I'm I going to get a daily incident report?  Do I have to
> > check each time for what content is being shared? If not, what if the
> > user  decides to start sharing a TV show and I didn't follow up on each
> > report?
> >
> > While our IP addresses tend to be pretty static, they are DHCP.  Seems
> > like we'll have to check every report because an IP could have changed.
> >
> >
> >
> > -----Original Message-----
> > From: Campus Computer Coordinators [mailto:<a href="/cgi-bin/wa?LOGON=A3%3Dind0806%26L%3DCCC%26E%3D7bit%26P%3D101602%26B%3D--%26T%3Dtext%252Fplain%3B%2520charset%3Diso-8859-1" >[log in to unmask]</a>] On Behalf
> > Of Brent A Nelson
> > Sent: Friday, June 06, 2008 4:29 PM
> > To: <a href="/cgi-bin/wa?LOGON=A3%3Dind0806%26L%3DCCC%26E%3D7bit%26P%3D101602%26B%3D--%26T%3Dtext%252Fplain%3B%2520charset%3Diso-8859-1" >[log in to unmask]</a>
> > Subject: The great peer-to-peer hunt
> >
> > I am a bit surprised that I haven't seen any discussion about the new
> > policy to track down and investigate peer-to-peer activity, apart from
> > the
> > CNS announcement that they were planning to send out notices.  Well,
> > we've
> > already been notified by CNS that several users in our department have
> > been detected using peer-to-peer software.  This is the text of the
> >
> > notice:
> >> Peer-to-peer traffic was detected from IP address(es) below. Although
> >> some uses of peer-to-peer applications are legitimate, many are used
> >
> > for
> >
> >> obtaining illegal copies of music, movies, games and software.  Please
> >> investigate to identify the user responsible and determine if their
> >> use
> >>
> >> was legitimate.  If not, inform the user's supervisor if staff, or
> >> Student Judicial Affairs if a student.  Do not attempt to take action
> >> against the user yourself unless you're the user's supervisor.
> >>
> >> For more information about UF's position on copyright violations see:
> >> http://infosec.ufl.edu/copyright
> >
> > How are other departments planning on handling this? I'm really not
> > looking forward to getting staff fired (one way to handle budget cuts,
> > I
> >
> > suppose) and students expelled/deported/fined more money than they will
> > ever make. Has everyone already warned all the people in their
> > department?
> >
> > Are we really going to demand that people turn over their personal
> > laptops
> > for study/evidence gathering? Do we need to hire more personnel to
> > conduct
> > such investigations? Is this really our job?
> >
> > If peer-to-peer is allowed for its legitimate uses, but it requires an
> > investigation for each and every user, doesn't that practically
> > prohibit
> >
> > its use? Perhaps it would be better to just filter it by default and
> > allow
> > it only for specific people who claim their use is legitimate?
> >
> > Something doesn't feel right about this...
> >
> > Thanks,
> >
> > Brent Nelson
> > Director of Computing & Copyright Policeman (now, more than ever)
> > UF Physics
> >
> > PS Cans of worms should come with warning labels saying, "Do not open."