[governance] Re: France To Require Internet Service Providers To Filter Infringing Music

Wed Nov 28 05:49:47 EST 2007

Le 28 nov. 07 à 02:05, Dan Krimm a écrit :

> At 1:18 AM +0100 11/28/07, Meryem Marzouki wrote:
>> Le 27 nov. 07 à 22:25, Dan Krimm a écrit :
>>
>>> Another question I heard elsewhere is: does the deep packet  
>>> inspection
>>> violate EU privacy laws?
>>
>> I'm not sure I understand what you mean by "deep packet inspection"
>> here?
>
> In order to detect infringement, the content must be identified as  
> it is
> passed through the net.  In your earlier message you referred to it as
> "filtering techniques" such as provided by Audible Magic (also  
> referenced
> in the title of this email thread).

Thanks for the explanation (and thanks, McTim, for the pointer).  
Actually, I don't know the answer to your question, as I'm not sure  
how deep this inspection goes, it depends on the system used: if used  
to only identify that it's P2P traffic (I assume we can call this  
protocol filtering), does this necessarily mean *content* inspection  
in the sense of privacy laws? Advanced network analysis tools (for  
e.g. QoS analysis or any other metrology studies) are based on  
"application flow classification". This is needed for fine analysis  
of network operation, but may also be used for other purposes, as we  
know. So, I personally wouldn't advocate a radical position against  
any use of such tools, but rather look at (1) how proportional is  
their use w.r.t. a given purpose and (2) whether the use is actually  
limited to the claimed purpose, which should obviously be legitimate.  
These two criteria are actually the cardinal principles of EU  
personal data protection legislation. Then come user rights  
recognized in this legislation (information on, and access to, user's  
data being processes, etc.). And they all should be examined on a  
case by case basis.

> Perhaps, as you noted, this must be in conjunction with IP  
> addresses, etc.,
> to identify the supposed infringers.  I guess it comes down to the  
> status
> of the "legal order" to get the identifying info in the case of  
> claimed
> infringement.  Would this proposed system create some sort of "blanket
> legal order" to allow bulk access to identifying info in case of  
> flagging
> of infringing content in the filtering system?

Not necessarily "blanket", but in any case a rather easy to obtain  
legal order (see my previous answer to Rui in the same thread, with  
the link given).

> Even if the IP address "is not personal data" anymore in France, at  
> some
> point they do have to get some personal data to prosecute the  
> claim, so at
> some point there are personal data involved, and one would assume  
> that at
> that point the privacy laws would kick in somehow, unless the  
> identifying
> path is so "spread out" that the law cannot catch it at any  
> specific point
> in the path.

What I'm trying to explain is that once you get a legal order, you  
can go to the concerned ISPs and ask them for the identity of the  
concerned persons, given the IP addresses (and other relevant trafic  
data such as date, time, etc.). Given that, on the other hand, there  
are data retention laws, you're done. Like it or not, this is lawful.

Meryem____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance