Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of technical measures to suppress online copyright infringement Stakeholder Dialogue on Illegal Uploading and Downloading Brussels 02 nd June.

Published byMarissa Casey Modified over 10 years ago

Similar presentations

Presentation on theme: "Analysis of technical measures to suppress online copyright infringement Stakeholder Dialogue on Illegal Uploading and Downloading Brussels 02 nd June."— Presentation transcript:

1 Analysis of technical measures to suppress online copyright infringement Stakeholder Dialogue on Illegal Uploading and Downloading Brussels 02 nd June 2010 Malcolm Hutty malcolm@linx.net

2 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Solving copyright infringement online Demand-led solution is required New business models that give consumers timely, affordable and convenient access to digital content legally HADOPI-style disconnection is disproportionate and contrary to the Digital Agenda Network based technical measures are inappropriate on technical, legal, economic, and social policy grounds

3 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Technical objections to network-based measures Ineffective Cannot significantly inhibit infringing behaviour amongst those that infringe Harmful to the network Can reduce network speed, create congestion Introduces new points of vulnerability, reduces network resilience Tendency for overblocking Harmful to innovation Reduces network flexibility

4 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Harmful to innovation: undermining the end-to-end principle The end-to-end principle is a basic organising principle of the Internet It says that intelligence occurs at the network edges, not in the core routers It permits technological development, including invention of web, VoIP, etc Requiring blocking at the network level undermines the end- to-end principle and the capacity for invention Arguably, it invites network operators to subvert the end-to- end principle further

5 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Harmful to the network Three ways network speed is harmed: 1. Direct processing overhead 2. Architectural constraints frozen in place 3. Diversion of investment and innovation Network resilience is undermined Introduces new potential points of failure Blocking systems are an attractive target Greatly increased attack surface Now operating at application layer Blocklist itself is vulnerable, and not only to technical attacks Tendency to overblocking (depends on technique)

6 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Inherent inefficacy of network-based measures as a policy response to online copyright infringement

7 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Protection Compliance – Help the users to avoid material that they do not wish to encounter – Prevent users from accessing material that they are actively seeking Context: Purposes of Content Blocking 1

8 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Context: Purposes of Content Blocking 2 Protection User does not want to access blocked material User will not deliberately subvert blocking system Users normal usage will usually not strain the blocking system by introducing difficult cases Compliance User wishes to access blocked material User may deliberately subvert blocking system

9 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Examples Protection Protecting families from accidentally stumbling across child pornography sites Protecting bank customers from phishing sites Compliance Prevent people infringing copyright Preventing people gambling online Preventing religious extremists exchanging views

10 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Does blocking work? How hard is it to avoid so-called mandatory blocking? Even if there are counter-measures to blocking, is it still a significant barrier to infringement?

11 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Analysis methodology Specify distinct levels of expertise proficiency levels Identify avoidance techniques for each technical measure Ascertain proficiency level required to employ avoidance technique Compare required proficiency level to engage in infringement with required level to employ avoidance technique

12 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Proficiency levels required for avoidance VERY HIGH Advanced network software research HIGH Good understanding of networking principles. Basic software development skills. MODERATE Can search for and find obscure or complex software. Can follow complex instructions. Capable of imagining secondary uses of dual-purpose software. LOW Aware of common applications e.g. peer- to-peer. Capable of following written instructions to download, install and use such software. VERY LOW Can use web browser, e-mail. Cannot set up own computer to use Internet

13 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Methodologies of Blocking End-user filtering DNS poisoning Web Proxy filtering IP blocking Hybrid IP blocking/proxy filter Network-based deep packet inspection & filtering Alternatives to blocking Removal at source / Disconnection Demand-led solutions

14 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Avoiding Blocking Systems 1 Surreptitious by-pass by PC user (MODERATE to VERY HIGH expertise) End User Filters – Use different ISPs DNS resolver (LOW expertise) – Removal by PC owner (LOW expertise) – DNS-SEC will make this obsolete – Run your own DNS resolver (MODERATE expertise) – Avoid or confuse DNS (MODERATE expertise) DNS poisoning

15 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Avoiding Blocking Systems 2 All methods except DPI and End-User Filters – Use Peer-to-Peer (LOW expertise); only provides access to content, not applications such as gambling sites – Anonymizer.com style tunnel (VERY LOW expertise) – Create your own encrypted tunnel (MODERATE expertise) – Confuse the blocking system with technical attacks 1 (MODERATE to VERY HIGH expertise, variable effectiveness) 1 Simple examples include URL Character encoding, web file-path traversal with.. etc

16 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Avoiding Blocking Systems 3 Network-based Deep Packet Inspection Avoidance technique: use file transfer software that employs encryption Requires: install peer-to-peer software (LOW expertise) Requires no additional expertise for those who are already installing such software Encryption is increasingly built-in and automatic In software that does not employ yet encryption (or another effective technique), the user would simply experience this as software failure and can simply select a new product that works. Also (or alternatively), other built-in avoidance techniques

17 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Beyond peer-to-peer Private, password-protected download sites Easy to establish (VERY LOW expertise) Essentially infinite pool of sites No limit to number of sites any individual can establish, at least until individual is brought to justice Pool of opponents is entire file-sharing community Immune to blocking until infiltrated Location unknown to enforcers; encryption defeats DPI Number of unknown locations is unknowable Cannot appear on blocking list until location is known Long life before being infiltrated Swift recovery time once infiltrated

18 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Conclusion of analysis Network-based measures are inherently ineffective All known measures have well known counter-measures Counter-measures are intrinsic not implementation-dependent Counter-measures are as easy or even easier to employ than it is to infringe in the first place Q.E.D., those people already infringing cannot be dissuaded by such technical barriers to infringement It is unreasonable to expect ISPs to deploy inherently ineffective measures Especially considering other objections

19 Supporting Annex

20 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION End User Filtering Methodology Software installed on each PC prevents access to certain materials Financial Costs Varies; from bundled product to around 50 per PC Falls on customer Non-financial costs Choice of sites to block can be questionable Classification of sites can be questionable 20

21 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION End User Filtering 2 Features Commonly targets web, e-mail Rarely targets Games, IM, Peer-to-Peer etc Vibrant commercial market means state of the art is continually advancing Customer has choice of a wide range of reasons for sites to be blocked (e.g. pornography, violent imagery, gambling, racism, even lack of educational value) 21

22 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Web Proxy Filtering Methodology All web traffic passed through a proxy cache, which selectively refuses access to particular web pages Financial Costs Very high (100,000s for an ISP with 50,000 customers) Non-financial costs Can slow down network traffic Can reduce network reliability But no overblocking 22

23 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Web Proxy Filtering 2 Features Centralised mandatory blocking of all web traffic Generally, limited block-list from a qualified source e.g. court, IWF Does not block non-web traffic 23

24 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION DNS Poisoning 1 DNS is the system that translate human-readable addresses into machine-readable Internet protocol addresses Example DNS address: www.google.comwww.google.com Corresponding IP address: 216.239.59.147 Every ISP provides a DNS resolver to look up these translations for its customers. Each customer configures their PC to use their ISPs DNS resolver as part of the process of connecting to that ISP Whenever they visit a new website (or use any other Internet resource), their PC contacts the DNS resolver to discover the IP address to contact Customer could instead configure their PC with any other DNS resolver, e.g. from an American ISP or one they run themselves 24

25 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION DNS Poisoning 2 Methodology ISP configures DNS resolver to lie about existence of sites to be blocked Financial costs Low (Can be less than 5000 per ISP) Non-financial costs Massive over-blocking, as a whole domain is blocked (e.g. all of MySpace, Geocities, terra.es etc) Surprisingly difficult to implement without errors 25

26 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION DNS Poisoning 3 Features Blocks more than just web; But non-use of DNS by site operators can limit effectiveness; and Over-blocking is a serious problem, and can cause user rejection 26

27 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION IP Address Blackholing 1 Methodology ISP prevents all traffic from routing to specified IP addresses Financial costs Depends on length of block list Non-financial costs High level of overblocking due to shared web space (e.g. all of MySpace, Geocities, terra.es etc) 27

28 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION IP Address Blackholing 2 Features Blocks access for all protocols Over-blocking is again a serious problem Danger of unintended outcomes e.g. Pakistan YouTube incident 28

29 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION IP Blackhole/Proxy Hybrid (Cleanfeed) Methodology Use the same technology for IP-based blocking to route only selected traffic to a web proxy; the web proxy decides what to block Again, web proxy element means only blocks web sites Financial Cost Less than full proxy, but still substantial Non-financial costs Over-blocking greatly reduced compared with IP address blackholing 29

30 EUROPEAN INTERNET SERVICES PROVIDERS ASSOCIATION Encryption and peer-to-peer Can peer-to-peer file-sharing be protected by encryption without defeating its purpose? Encryption can defeat DPI Manual enforcement at edges can act post TLS decryption DTECNET/Media Sentry approach Only works for transport-layer encryption, not encrypted payloads IP address thereby obtained can be used for enforcement But DPI still cannot break encryption tunnel Technically possible to spot (and block) all activity by same IP address (super-HADOPI) Still not possible to identify similar transfers by this or other IP addresses

Download ppt "Analysis of technical measures to suppress online copyright infringement Stakeholder Dialogue on Illegal Uploading and Downloading Brussels 02 nd June."

Similar presentations

Tivoli Software from IBM Storage Resource Management Webcast

Tivoli Software from IBM Storage Resource Management Webcast
Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
Stakeholders' dialogue on illegal uploading and downloading:

Stakeholders' dialogue on illegal uploading and downloading:
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Internet Censorship In order of appearance: Dmitriy Bespalov Ilya Braude Brian McBurney Yaroslav Volkov.

Internet Censorship In order of appearance: Dmitriy Bespalov Ilya Braude Brian McBurney Yaroslav Volkov.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Similar presentations

Ads by Google