September 9, 2003
University of Utah
Peer-to-Peer File Sharing
Associate Academic Vice President for Information Technology
Office of Information Technology
University of Utah
September 9, 2003
The University of Utah is the oldest university west of the Mississippi, offering 75 undergraduate degree programs, along with more than 38 teaching majors and minors, and over 90 graduate majors. The University is ranked among the top 35 research institutions in the nation with particular distinction in medicine, genetics, and engineering.
2002 Fall Semester enrollment was 28,000. Of these, 86% are "resident" students. 44% of the "non-resident" population consists of international students. Less than 1% of the students live on campus in apartments and dormitory facilities.
Importance of Information Technology and Networks
The University of Utah was one of four original pioneers of the ARPANET education and research network (1969) which became the Internet we know today. The University continues to be a leader in the development and delivery of networked electronic services to its constituents.
The University of Utah is home to the Utah Education Network (UEN) which provides electronically delivered educational resources and Internet connectivity to all of Utah's institutions of higher learning, school districts, and public libraries. The UEN provides statewide coordination of distance learning for public and higher education, including Utah's Electronic High School and Electronic College.
The successful fulfillment of the higher education and public education mission is inextricably tied to internal networks, computing resources, and the Internet.
Peer-to-Peer - An Evolving Technology
The University can foresee the emergence of a wide range of collaborative, project management, business planning, and academic/educational applications, that could take advantage of the underlying technical architecture of Peer-to-Peer technologies.
A few developing applications have begun to demonstrate the power of Peer-to-Peer communications. These emerging applications when combined with other Peer-to-Peer collaboration tools, such as Instant Messenger, may enhance an individual's academic experience and expand educational opportunities to more citizens.
Groove Networks, Microsoft, Apple, and other software vendors appear to be poised to launch a new wave of interest in Peer-to-Peer. These new applications may enable individuals to collaborate with each other, to participate in audio and video conversations, and to exchange files and information. One can easily imagine the business, government and education applications that may be enhanced by these developments.
Peer-to-Peer (P2P) services have been controversial since their inception. Tens of millions of users freely share music, movies and software. The entertainment and software industries have increased their efforts to prevent sharing of copyrighted materials. Businesses and organizations like the University of Utah, which own networks and act as Internet service providers to their constituents, have been caught in the middle of this struggle.
With the rise of Napster, universities scrambled to find a way to block or restrict P2P activity. At first, this was relatively easy and only required a simple port block at a router. Products like Morpheus and Kazaa emerged and became the preferred service for quick and easy downloads. At first, these could be easily blocked.
In early versions of P2P software, a network administrator was able to use a simple command to connect to a P2P client, and obtain a list of content being shared from that computer. The privacy of the individual was not an issue because the person offering downloads was publicly posting their content.
Then Kazaa version 2 arrived. This clever "upgrade" in P2P software removed the ability to view content with simple connections, and added basic firewall evasion tactics. The new version also allowed anyone sharing files to be classified, or "promoted" to a "Super-Node" status, depending on the quality of the network to which they are connected. The P2P client software literally promotes itself, based on how much bandwidth is available to it, moving the computer higher on the list of desirable download sites. This has been a significant change for higher education institutions because of their high speed Internet connections.
When the Recording Industry recently announced that it would more aggressively pursue legal remedies against those who share copyrighted materials, Peer-to-Peer usage decreased somewhat. However, software developers have indicated their intent to alter P2P software to mask the identities of file sharers.
The use of Peer-to-Peer file sharing to introduce malicious code (virus and worms) is also a growing problem. The time may be approaching when the total risk of operating a Peer-to-Peer software sharing client on a network outweighs even the needs for legitimate uses of this technology.
These issues place universities in a very difficult position, trying to find a balance between enabling a promising new technology, while discouraging inappropriate, illegal, or threatening behavior.
In an effort to resolve this dilemma, a Joint Committee of the Higher Education and Entertainment Communities was formed last fall and is comprised of leaders representing universities, higher education organizations, and music and motion picture executives. The committee aims to provide a range of resources to school administrators in three basic areas: educational efforts (including practices surrounding the use of copyrighted works, student responsibility, and implications for peer-to-peer network file sharing), technological solutions (including computer network management technologies available to reduce illegal file sharing and the development of legal, campus-based music and movie/entertainment services), and examining differences and exploring prospects for collaboration on legislative initiatives.
What is the University of Utah's stance on Peer-to-Peer file sharing?
The University deals with Peer-to-Peer file sharing based on compliance with State and Federal laws and regulations and University policies governing the appropriate and acceptable use of information resources.
The University considers the illegal sharing of copyrighted materials a violation of the U.S. Copyright Act. The University's acceptable use policy is also violated when any of the following occur:
1. The behavior is not a valid educational or academic activity.
2. The behavior is not required to conduct the business of the University.
3. The behavior does not show restraint in the utilization of shared resources.
4. The behavior is not consistent with intellectual property rights and/or ownership of data.
5. The behavior compromises the security of information resources.
6. The behavior monopolizes resources or reduces other's access to information resources.
7. The behavior wastes University resources.
8. The behavior results in illegal copying, storing or transmitting of patented or copyrighted materials using University resources.
9. The behavior violates any federal or state laws, including copyright, pornography, or export laws.
What steps does the University of Utah take to monitor its network?
The University of Utah, like other institutions of higher education, places a high value on academic freedom and inquiry and the free flow of information of all types with a reasonable expectation of privacy. Therefore, the University monitors traffic flows, not content. Traffic flow is a measure of the amount of data that is transmitted over a network, while content is the information contained within the data flow.
The Utah Education Network serves public education (K-12) and libraries and therefore does provide content filtering services for those entities that need to screen content that is inappropriate for the consumption of minors.
The primary purpose of data flow monitoring is to identify patterns of network activity that may affect the health and availability of network resources. Suspect flow patterns include unusually high bandwidth consumption which may, or may not indicate Peer-to-Peer file sharing activity.
The University's acceptable use policy allows content monitoring only for the purpose of evaluating an employee's job performance. All monitoring must be relevant to work performance. Employees receive information about their work that is gained through monitoring. Disclosure and use of resulting data is restricted to University-related purposes.
For example, if an employee's job performance is declining, and it is suspected that the reason is that the employee's time is being used for non-job related Internet activity, the Supervisor, with approval of the appropriate Vice President, may request that the employee's network use be monitored. The employee is informed that their use of the network will be monitored before the monitoring actually occurs. Employees typically discontinue the inappropriate use of the network when they receive notice that monitoring will occur. If inappropriate use continues, the employee is subject to disciplinary action in accordance with University policy.
The University also collects "top talker" reports. These reports identify networked devices that use the highest percentage of available bandwidth. Because the University must maintain its network and plan for future demand, we inquire as to the actual use of "top talking" users. Student housing residents, who appear on a "top talker" report, usually acknowledge downloading or sharing large amounts of P2P data. However, not all users that are sharing copyrighted materials appear on a "top talker" report.
The University may disconnect "top talkers" who share copyrighted materials over Peer-to-Peer networks once we are aware of it.
These steps have been effective in reducing illegal Peer-to-Peer file sharing.
What is the University of Utah's experience with Peer-to-Peer file sharing?
During periods of high Peer-to-Peer activity, i.e., when students return in the fall, P2P traffic may total as much as 30% of the total bandwidth consumption. Without active management, it is possible for the top ten "top talkers" to monopolize as much as 15% of the University's bandwidth.
Peer-to-Peer file sharing impacts educational networks operationally and economically. File sharing can slow networks, restrict access for legitimate academic pursuits, and require the acquisition of more bandwidth to meet legitimate academic requirements.
What is the University of Utah doing about Peer-to-Peer file sharing?
Education is an important key to resolving file sharing issues. The open nature of the Internet has led people to believe that virtually anything found on the Internet is free for the taking. Internet users must learn that principals of ethical and appropriate behavior on the net should not differ from expected behavior in life outside of the Internet.
New students receive instruction regarding Peer-to-Peer file sharing during new student orientation sessions. E-mail and web sites are used to communicate with faculty, staff, and students regarding Peer-to-Peer file sharing.
The processes and procedures used by the University to deal with specific copyright violations and inappropriate P2P file sharing include the following.
1. Receipt of Notification. The copyright holder notifies the University of an allegation of copyright infringement and requests that the University take action to remedy the situation.
2. Discontinuation of Service. The University immediately disconnects the computer alleged to be illegally uploading or downloading copyrighted materials and deactivates the user ID of the individual responsible for that computer.
3. Teaching Opportunities. Service is not restored until the user meets with the University's Security Office so that the complaint can be fully investigated. Depending on the findings, the student is instructed regarding the consequences of illegal file sharing and signs an agreement, stating that they will cease all such activity. The end user is informed that signing the agreement does not release them from the possibility of further liability under the U.S. Copyright Act.
4. Proactive measures. "Top talkers" are contacted. If illegal file sharing is disclosed or discovered, the responsible party receives the same treatment as someone who is the subject of a complaint from the entertainment or software industry.
5. Technology vs. Technology. The University has made attempts to block inappropriate file sharing using technological solutions. However, these solutions have not been successful, in spite of the abilities of extremely talented information technology professionals.
a. Blocking router ports. File sharing software evolves as fast as a network administrator can make such changes, making this an expensive and ineffective solution.
b. Rate-limiting or "shaping" bandwidth. This entails limiting the amount of bandwidth that is available to end users. When this approach is used, appropriate academic uses may also be restricted.
c. Access Control Lists to prevent Peer-to-Peer sessions. This solution invariably restricts legitimate network uses and is therefore unacceptable.
While these procedures do not prevent new incidents of P2P file sharing, the University has been able to virtually eliminate the incidence of repeat offenses.
While the University does not monitor content of network transmissions in the normal course of business, this does not mean that downloading pornographic materials using Peer-to-Peer networks, or storing such information on University owned computing devices is an acceptable use of University resources.
Provided that the use of pornography is not for academic or research purposes, this behavior is dealt with in terms of job performance and is handled through the supervisor/employee relationship. If a person is using work hours to download or view pornography, shop on e-bay, play games, or is using the network for any other excessive, non-incidental, performance impacting personal activity, they are subject to University acceptable use and employment policies.
At times, computers in student laboratories have been used to view pornography or for other non-academic pursuits. This activity is typically discovered by the lab staff, sometimes by receiving a complaint from another lab patron. The University's experience indicates that most of this behavior does not involve, faculty, staff, or faculty members, but rather, is the result of walk-in traffic into open access laboratories, i.e., campus library computing labs. This problem is diminished, almost entirely, when access to the network requires the user to authenticate, or log onto the network, using a distinctive user ID and password.
In the event that a student, faculty member or staff member is found to possess illegal pornography, i.e., child pornography, whether or not it was downloaded from the Internet and stored on University information technology resources, they are deemed to be in violation of federal and state laws and are reported to the appropriate law enforcement agencies.