What's Yours Is Mine: Protection And Security Of Data In A Digital World

What’s Yours Is Mine: Protection And Security Of Data In A Digital World

By Francis J. Gorman

As businesses and individuals have, whether they like it or not, grown increasingly more dependent on the use of electronic data networks to communicate and transmit data and information, the ability to control the flow of such data and information has grown increasingly more valuable and more critical. To individuals, for example, the ability to protect one’s personal privacy and personal information may be important for reasons of personal security and safety. To businesses, for example, the ability to protect data may be important for reasons of protecting core business assets. From either point of view, it is apparent that the increased use of electronic data networks has made it easy for someone to misappropriate someone else’s data and make it their own.

I. Protection of Personal Information

A. Security and Assurance Methods For The Storage And Transmission of Electronic Data

The movement and volume of information transmitted in electronic data form has outpaced the ability to protect and secure that data. Yet despite the expanding demand for quick access to and transmission of more and more electronic data, serious concerns have arisen about protecting and securing private and confidential information contained in the data. For example, the transfer of medical information, financial information, and confidential business information has given rise to security concerns relating to the protection of such information as it travels through electronic data networks.

Protection and security methods need to be implemented by those responsible for storing electronic data, the data “custodians”. What are the security and assurance methods now in use when storing electronic data? The first matter to address with respect to storage is in what place, or on what physical media, will the electronic data be stored. Traditionally, electronic data has been stored on physical media such as floppy disks, compact discs, flash memory devices, and the like. More commonly, electronic data is now stored on less portable media such as fixed hard disks, both local to the user or at a remote location. With data stored remotely, users are not required to purchase and maintain physical devices; instead, the data may be accessed through “cyberspace” using electronic means such as via websites or electronic briefcases.

The protection of data storage facilities in cyberspace may utilize security and assurance methods such as firewalls and perimeter defenses, which act as virtual barriers to prevent unauthorized entry onto and use of a computer or computer network. In addition, intrusion detection systems and system scanning software are available which alert the custodian of the electronic data when the stored information has been or is being accessed.

Methods of physical storage enable the user to keep data security under old fashioned lock and key methods, at the expense of inconvenience. Physical storage methods may also utilize electronic security methods on top of the physical security, and physical storage devices may themselves include imbedded electronic assurance and security schemes.

One of the most basic security and assurance methods now in use when using or transferring electronic data is the secret code or password. The use of secret login requirements such as username and password for access to e-mail or PIN for access to bank accounts is a fundamental precaution that’s use is near universal. It is no longer sufficient to merely carry a particular key or identification card or other physical form of identification and assurance, and today the vast majority of electronic data transmission initiated in this country, such as e-mail, is secured by at least some form of secret code security. Beyond these fundamental security methods, an increasing number of users add additional protection using encryption schemes (such as public and private key systems). Encryption schemes allow users to be reasonably certain that messages are not intercepted and read by third parties where only the sender and recipient have the keys necessary to electronically “unlock” a particular transmission.

Most of the security and protection methods in common use today are limited because they rely on information provided by a user rather than on information about a user. Everything from passwords to digital signatures, and even encryption keys, require the user to provide some piece of information in order to gain access to the electronic data. If an unauthorized user is able to obtain this information (or any other required security or assurance protections), then that unauthorized user can trick the computer system into believing that he/she is the authorized user and therefore gain access to information or other sensitive data.

Most of the recent research and development in security and assurance methods today has been directed towards developing a reliable, user-friendly, and cost-effective system of security based on the unique characteristics of the actual person trying to access the data.  Biometric methods meet this criteria and, in the future, are likely to be much more commonly used.  Some biometric security methods currently being developed and/or perfected are fingerprint identification, voice recognition, facial recognition, and retina/iris scans. These biometric security and assurance methods are already in use in many governmental and military organizations and business organizations closely aligned with such organizations or, for other reasons, are highly advanced in the protection of confidential personal or business information.  Each of these biometric methods has pros and cons.

Fingerprints have been used for identification for many years, and the public is familiar with the concept of fingerprinting for identification purposes. Fingerprints provide a unique identifier for individuals, and fingerprint scanners require a user to place one or more fingers on a scanner so that the user’s fingerprint can be read to verify (versus a database of known fingerprints) that the user is the actual person who is entitled to access or have the electronic data. Fingerprint scanners and fingerprint recognition systems are the least expensive of the biometric security devices being developed, and they are relatively easy to use.

Voice recognition, for security and assurance purposes, is a sophisticated system of voice authentication, somewhat analogous to fingerprint recognition but utilizing sound patterns (the voice) instead of physical patterns (the print). The system starts with the authorized user’s “voice print,” typically made and verified by a trusted party. When a user seeks to access electronic data or seeks physical access to premises containing confidential data, certain words are spoken by the user creating a second voice print, and the voice authentication system then detects whether the voice in the second voice print matches the authorized user’s voice print contained in the database. Some hurdles to overcome in voice recognition technology include changes or variations in a person’s voice over time and/or due to conditions such as colds, congestions, and emotional state.

Facial recognition matches a given face of a user to a database of faces of authorized users. Facial recognition is a non-intrusive method (like voice recognition) which attempts to match certain standard facial features, such as the distance between the eyes, or to use image-based technology to compute “eigenfaces” a word derived from the German prefix “eigen” which means “own” or “individual.” Facial recognition systems deconstruct a person’s facial image into eigenfaces, producing a related set of facial characteristics that the computer uses to recognize an authorized user’s face. Facial recognition systems can also recognize other biometrics such as skin or hair color in attempting to recognize an individual. Some drawbacks of facial recognition are problems caused by variations in external conditions such as lighting and the user’s position and distance from the camera as well as variations caused by facial expressions, aging, and make-up.

Retina and iris scanning technologies may be the most accurate biometric recognition technology, but they are very intrusive to the user and are, so far, somewhat difficult to use. Retina scan devices measure patterns of a user’s retina at over 400 different data points (compared to fingerprint recognition technology which may use only 30 to 40 different data points). To use such a system, the user must put his or her eye within 1/2 inch of the scanning device and hold still for a period of time while the retina scan does its work. Because retina scanning are slow and relatively expensive, retina scanning technology is used today only in very high end security applications such as highly sensitive areas of military installations or nuclear power plants where the increased accuracy of the technology offsets its cost and cumbersomeness.

Continuing research in biometrics will likely cause some or all of these methods now being used in high-end security situations to more common electronic storage and transmission of data.  For the immediate future, it is very likely that simple biometric methods will be more widely integrated with the existing protections such as user IDs, passwords, encryption keys, etc. By integrating these methods, i.e., requiring both information from the user and information about the user, the overall protection and security is significantly increased.

B. Management of Security Methods

All security and protection method or methods require some sort of management. Those who possess electronic data, regulate access to it, or transmit it must manage the security and assurance methods in place. Just like the mere act of buying a safe cannot, without some further effort such as placing the valuables inside of it or keeping the combination secret, automatically protect all of your valuables, merely installing a security device without further effort will not automatically or immediately achieve security and protection of the data.

The security manager of an organization must make sure that the methods put in place are actually followed, used, and properly implemented by persons working in the organization. Management must keep abreast of changing technologies in order to keep the security and assurance methods and policies ahead of the abilities and ingenuity of electronic hackers and thieves. The actual practices of the persons who implement and use security and assurance methods are, ultimately, more important than the methods themselves.

C. Legal Principles Governing the Protection and Security of Electronic Data

1. The nature of the electronic data

Our society promotes the free and open exchange of information and ideas. The First Amendment to the U.S. Constitution and our free press (the Fourth Estate) are testaments to this. Yet, significant quantities of information, now commonly in electronic form, are considered private, confidential, or classified. The law protects information that is considered private, confidential, or classified, although in any particular situation the law may require disclosure of such information in the face of a superior, competing interest such as public safety, individual rights, or national security.

A person’s legal right to privacy has been espoused for well over 100 years in this country. See Warren and Brandeis, The Right to Privacy 4 Harv.L.Rev. 193,195 (1890). The legal right to protect confidential information against disclosure is well established in business and commercial settings by trade secret law as well as through various privileges such as the privilege between doctor and patient or attorney and client. The treatment of classified information in governmental and military situations is also well established under law, primarily under statutes passed by Congress and executive and military orders issued by the President.  Even though there are scholarly and journalistic challenges to the extent of these claims to privacy, confidentiality, and classified information, there are large quantities of such information, and the owners of this information expect the custodians of the information to protect and secure it against improper disclosure or misappropriation.

The owner, or source, of private/confidential/classified information may give such information to another (the custodian) for a wide variety of purposes and reasons. A patient gives a medical history to a doctor for treatment purposes and considers the medical history to be private information.  A business gives a confidential formula to a manufacturer for purposes of producing a product and requires the manufacturer to keep that formula secret and not to permit its disclosure.  The government shares confidential diplomatic information with another country, or the military provides confidential technology to a manufacturer to build a weapons system, and in both instances the information is considered classified.

2. Common Law Duty

What is the duty of care on the part of the custodians of private/confidential/classified information? Leaving aside the “high-end” custodians like foreign government allies and large defense contractors because their disclosure of classified information would result in serious national security consequences and would not be handled using typical legal or judicial means because of the attendant publicity, we will focus here on the ordinary custodians of private and confidential information. What duty of care does the law impose upon them?

The sources of the duty are found in the common law, federal and state statutes, professional ethics responsibilities, and court decisions. The common law recognizes tort liability for disclosing private information concerning another person:

One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.

Restatement (Second) of Torts  652B.

Prosser defines the duty of care as “a duty, or obligation, recognized by the law, requiring the person to conform to a certain standard of conduct for the protection of others against unreasonable risks. “Prosser & Keaton on Torts,” 30 at page 164 (5th Edition, 1984).   Prosser goes on to discuss when a new duty is recognized by the law and concludes:

Changing social conditions lead constantly to the recognition of new duties. No better general statement can be made than that the courts will find a duty where, in general, reasonable persons would recognize it and agree that it exists. Prosser & Keaton on Torts,  53 at page 359 (5th Edition, 1984).

There is no doubt that the law is moving toward recognition that a custodian of private or confidential electronic data owes a duty to the owner of that data to protect it against unauthorized disclosure.

3. Statutory Obligations

Federal and state statutes also impose a duty on custodians of private or confidential data to protect it from unauthorized disclosure. The relevant federal statutes include the Fair Credit Reporting Act of 1970, 15 U.S.C.  1681b (protects consumers from the transmission of inaccurate information about them, and establishes credit reporting practices that utilize accurate, relevant, and current information in a confidential and responsible manner); Privacy Act of 1974, 5 U.S.C.  552a (protects privacy of individuals identified in computerized information systems maintained by federal agencies by preventing misuse of information); Right To Financial Privacy Act of 1978, 12 U.S.C.  3402, 3417 (protects individuals from governmental authorities obtaining copies of, or having access to, the information contain in their financial records from financial institutions unless the financial records are reasonably described); Cable Communications Privacy Act of 1984, 47 U.S.C.  551 (requires notice by the cable operator to the subscriber regarding personally identifiable information in order to protect consumer privacy); Computer Security Act of 1987, 40 U.S.C.  759 (provides the government with computer standards and government-wide computer security); Video Privacy Protection Act of 1988, 18 U.S.C.  2710 (protects individuals from disclosure of certain personal information when renting video materials); Driver’s Privacy Protection Act of 1994, 18 U.S.C.  2721, 2724 (prohibits state motor vehicle departments from knowingly disclosing personal information obtained from motor vehicle records); Children’s Online Privacy Protection Act of 1998, 15 U.S.C.  6502, 6504 (protects children from operators of websites or online services from deceptive acts in connection with the collection and use of personal data from and about children on the Internet); and Stored Wire & Electronic Communications & Transactions Records Access Act, 18 U.S.C.  2702, 2707 (protects information of individuals that is stored on an electronic communication service from knowingly being disclosed while in storage).

States have passed similar statutes. Maryland has a computer security crime statute making unauthorized access to a computer a crime.  Maryland Criminal Law Code Ann,  7-302; see also Briggs v. State, 348 Md. 470 (1998) (defendant-employee who was entitled to use/access employer’s computer but who exceeded the scope of his authorized use on the computer not convicted because the statute applied only to those who did not have authorization to access the computer in the first place). Maryland established an Advisory Council on Medical Privacy and Confidentiality (Health Law,  4-3A-05), and the Attorney General’s office established an Electronic Transaction Education Advisory and Mediation Unit (State Government Law Code Ann,  6-202). There is an abundance of statutory expressions that custodians of private and confidential information must protect such information from disclosure.

4. Professional Responsibility To Protect Data

Those custodians who are in professional relationships to owners of private and confidential information, such as doctors, social workers, attorneys, etc., have a responsibility not to disclose the private and confidential information provided to them by their clients.  The American Medical Association’s Principles of Medicals Ethics,  5.05 (1992) states:

Information disclosed to a physician during the course of the relationship between the physician and patient is confidential to the greatest possible degree.

The Maryland Rules of Professional Conduct for attorneys, Rule 1.6 deals with the confidentiality of information:

(a) A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized and ordered to carry out the representation, and except as stated in paragraph (b).

The exceptions in subparagraph (b) relate to disclosing information to prevent criminal or fraudulent conduct and to comply with disclosure required by court order or other legal requirements.

5. Court Decisions

Like any property entrusted to a custodian, the custodian has a duty to care for it and to not permit its unauthorized use.  There are very few, if any, reported cases on civil liability attaching to a custodian of electronic data who, through lack of adequate security and protection measures, permitted or caused the electronic data to be transmitted to, or accessed by, an unauthorized person. There are a number of reported decisions in related contexts which make clear that civil liability can attach to a negligent custodian of private or confidential electronic data: Doe v. Roe, 599 N.Y.S.2d 350 (1993) (physician who gave information on a patient’s HIV status to attorney for patient’s employer liable for damages);Fierstein v. DiPaul Health Center, 24 S.W. 3rd 220 (Mo. App. 2000) (hospital that released patient’s psychiatric records to her husband before deposition without permission or notice to the patient liable for emotional distress damages plus punitive damages) Dessel v. Dessel, 41 N.W. 2d 359 (Iowa Sup. 1998) (lawyer who represented the partner in a partnership dissolution subsequently used confidential information he gained in a suit against that partner held liable for negilgence); Levias v. United Airlines, 500 N.E.2d 370 (Ohio 1985) (physician disclosed patient information to the patient’s supervisor and was held liable for $14,000 in compensatory damages).

Banks and other financial institutions have long been held liable to their customers for unauthorized disclosure of financial records. The Gramm-Leach-Bliley Act, 15 USC  6801-10, imposes upon financial services institutions a duty to secure confidential records and information of its customers, to protect against unauthorized threats to the security and integrity of the information, and to prevent unauthorized access or use.

In Maryland, a bank has been held liable for the unauthorized disclosure of financial information. In Suburban Trust Co. v. Waller, 44 Md. App. 335 (Md. App. 1979), a bank security official called law enforcement officials because he believed a large deposit of money by a customer was stolen money. The Maryland court noted that bank customers have the right of secrecy and that a bank is under an implied obligation to keep secret its record of deposits and withdrawals by the customer.  The court held:

We think that a bank depositor in this state has a right to expect that the bank will, to the extent permitted by law, treat as confidential, all information regarding his account and any transaction relating thereto. Accordingly, we hold that, absent compulsion by law, a bank may not make any disclosures concerning a depositor’s account without the express or implied consent of the depositor.

44 Md. App. at 344.

In 1976, the Maryland General Assembly had passed a statute that banks may not, absent legal compulsion or authorization from the depositor, reveal any information to anyone about the depositor’s dealings with the bank. The statute makes knowingly and willfully furnishing financial records a violation of this subtitle a misdemeanor and makes anyone attempting to have a bank officer provide such information also a misdemeanor. Article 11,  227(a) and (d), Md. Code Ann.

D. Security of Personal Information Will Become A Matter of Personal Identification

More and more, businesses and professionals are custodians of private and confidential information in electronic data form. They store it and often transmit it in the course of their activities.  In order to retain the public trust in the security of electronic information, the custodians of such information must secure and protect the private and confidential electronic data they are storing, they must prevent unauthorized access to and use of this private and confidential data, and they must use care in the transmission of this data to make sure it is transmitted or accessible only to authorized users.

To fulfill these obligations requires an increased awareness of threats to the security and integrity of electronic data and to methods for assuring secure storage and transmission of private and confidential data in electronic form. It has become easier every day to receive, store, and transmit ever-larger quantities of electronic data, and significant portions are considered by their owners to be private and/or confidential. The custodians of this data should be aware of their responsibility to implement and manage steps to secure and protect the data. Providing login information is currently the most common security method. Available, but less common in actual use, are digital signatures, encryption keys, and smart cards.  Integrating one or more of these methods with login security is feasible now with respect to private and confidential information.

In the future, more sophisticated techniques based on biometrics will become more commercially available.  The implementation, use, and management of biometric security methods, alone or integrated with more traditional methods, will someday become the standard of care for custodians of private and confidential information.

II. Protection of Digital Media: Your Music Is My Music

As technology has developed, typically at a very rapid pace, the law and legal rights holders (such as copyright owners) have struggled to keep up. One of the challenges for the courts has been in determining how existing laws apply to new factual scenarios when many of those scenarios were never conceived of when the laws were originally drafted. One such situation has arisen in the arena of copyrightable material such as music, a problem exacerbated by the ease and efficiency of file sharing technology and the explosive growth of large computers networks simultaneously connecting scores of users via the Internet. Rather than having to deal with the protection of personal, confidential data, certain business have had to deal with the protection of and prevent the unauthorized distribution of their own electronic assets.  This issue has had the greatest (and most widely reported) impact on the music industry.

A. Digital File Transfers

The copying or misappropriation of intellectual property such as books, photographs, and other artistic endeavors is not a novel concept, but computer technology, and specifically the proliferation of digital transfer mediums allowing the rapid duplication of large volumes of digital data, has made such copying and misappropriation a simple task for even the most novice computer user. This is because digital transfer permits the creation of perfect digital duplicates. Thus, while in the past, it was difficult to duplicate a photograph or song without losing some image or sound quality, digital technology has eliminated such degradation in quality: the copies are identical.

To understand the problems that exist with respect to misappropriation of electronic media such as digital music, it would first be useful to briefly consider the factors which have come together in creating an environment where, without much effort, someone can anonymously, easily, and near instantaneously create a high-quality music collection without buying a single record, cassette tape, or compact disc. Those factors are the rise and proliferation of digital music, the historical practices relating to the marketing and sale of recorded music, the creation of compression technology, and the spread of multi-user computer networks.

B. Analog vs. Digital Music

Traditional music, such as that being playing by a live band, is in an analog format. When that analog music is converted into a digital format, the music signal is actually being sampled at a certain frequency and to a certain accuracy, converting one continuous stream of sound into millions of tiny samples or steps.  For most music converted into a standard digital format such as the format used for compact discs, the human ear cannot typically detect the difference between a digital and an analog recording, though the analog music is actually more technically complete than the digital music.

In the past, music was traditionally sold via physical, tangible mediums. One of the earliest, modern mass-produced and mass-marketed mediums was vinyl recording, a purely physical medium carrying an analog recording. After the advent of vinyl records, analog devices utilizing magnetic tape, such as the audio cassette tape, were introduced.  More recently, those mediums have mostly been replaced by compact discs, digital versatile discs, and other formats carrying music encoded into various digital formats.

While digital transfer poses a problem for most forms of copyrightable media, it is especially problematic in the area of music.  This is, in part, due to the way that music is marketed and sold versus other forms of media, and also due to widely available file compression technology which now permits music media to be compressed into a size which is small enough to be portable while causing little to no loss in sound quality.

In comparison to music, photographs and still images are rarely sold to individual consumers, and when they are, they are typically produced with high quality characteristics (e.g., high quality paper, large format images, etc.) or with other physical enhancements; therefore, the transfer of digital still photographs and the relative ease with which its commercial use may be policed makes infringement less problematic than with music.  Movies, due to their length and because they combine video and audio, are typically extremely large in size with huge amounts of data, and therefore the digital transfer of movies of the same quality and characteristics as the original is somewhat difficult with existing technology, making movie piracy difficult for the typical computer user or movie buff (though there have been a number of advances in video compression technology in recent years which have the movie industry worried about digital piracy as well). Music is unique in that, unlike photographs, it is typically sold on a per song or per album basis to consumers. Once legally purchased, the consumer has in his or her hands a perfect digital recording which can then be easily duplicated and distributed.

Prior to the advent of computers equipped with CD-ROM drives, the most common way for most consumers to duplicate music was to record it from one physical medium to another, such as copying from tape to tape.  Invariably, the copy was never as good as the original. Advances in computer technology allowed computer data drives (e.g., CD-ROM) to read the digital data contained on music compact discs and copy that data to a user’s computer. That data could then be digitally copied to another location, and, when copied to another compact disc, a perfect digital duplicate of the original compact disc is created.

C. Digital Duplication of Music: MP3

Advances in software technology have allowed the digital music taken from compact discs to not only be copied but also to be manipulated. One such advance, which some consider the harbinger of digital copyright infringement and music piracy, is file compression technology. The most popular and well-known format for music compression is known as MP3.  The MP3 compression format permits a CD-quality digital music file to be compressed to roughly one-tenth the original size without noticeably affecting the sound quality.  With this degree of file compression, the MP3 format not only allows users to save significant space on their computers, but also significantly increases the portability of music file.  Whereas, before compression formats such as MP3 existed, digital music files could not easily be transferred due to their size and the relatively slow speed of most computer data connections, now such transfers are able to happen quickly and easily could due to the significantly compressed file sizes and the proliferation of ever faster data networks.

While the past format standards were promulgated by the record companies, the MP3 file format is a user driven format.  This is an important and noticeable distinction because it underscores the fact that the record companies, the owners of the copyrights for most of the musical performances that make up commercially distributed music, do not and have not had a controlling hand in the development of the MP3 format or its proliferation and use by consumers.

Compression technology such as MP3 was useful to computer users and commercial broadcasters, but it did not become immediately useful to the general public. The value and power of compression technology, and the fact that record companies do not control that technology, became apparent with the advent of a system of file sharing known as peer-to-peer file sharing (“P2P”) and an online file-sharing system called Napster.

D. Peer to Peer Networking

P2P is a method of networking (computer to computer communication) where one computer in the network has the same communication capability as the next computer in the network. Therefore, under the P2P model, any computer in the network may initiate communications with any other computer in the network, either directly or through a central computer. As used in this context, the term communication includes the ability to share and exchange files.

E. Napster

Napster was a P2P system originally started in 1999 by an innovative Northeastern University freshman. Napster allowed its users to share files, typically music files, though the system allowed the sharing of other types of files, stored on their individual computer hard disks directly with any other users of the Napster system. Each user would run a small piece of software which allowed that user’s computer to connect to Napster’s central servers. Napster’s central servers would then act as a catalog for the music files located on each user’s individual computer.

When a user would search for a particular song, Napster’s central servers would show a list of all instances of that particular song existing on each computer connected to the Napster network.  Then, a user would simply have to select a particular instance of the song and the song would be downloaded to that user’s computer directly from the other user’s computer. This system was innovative and effective because it allowed Napster’s central system to avoid having to store all of the billions of songs that eventually became available on its network. One of the fastest growing websites in history, Napster grew from having zero users at its inception to over sixty million users in one year, its growth spurred in large part due to the widely publicized copyright infringement suit filed by the Recording Industry Association of America (RIAA), a trade group that represents the U.S. recording industry.

F. RIAA vs. Napster

The danger of Napster was readily apparent to the RIAA: it allowed anyone with a computer and an Internet connection to permit anyone else with a computer and an Internet connection to instantaneously create a perfect duplicate of a digital music file. Each of those duplicates could be further duplicated to create additional perfect clones, and those files could easily be transferred to the medium of the users’ choice, including onto a compact disc. While some Napster users attempted to argue that the Audio Home Recording Act of 1992 provided a legal justification for the sharing of music files (namely that the sharing was a private, noncommercial use akin to allowing your friend to borrow music that you may legally own), the RIAA quickly realized that the actual use of the Napster system was far from mere borrowing. The ability for users to quickly create and transfer digital recordings had the potential to significantly adversely affect the ability of record companies to sell music in compact disc form because now, unlike in the past, the copy was just as good as the original.

The RIAA’s lawsuit against Napster (and eventually others) was based on claims of vicarious and contributory copyright infringement under federal and state laws. Filed in the U.S. District Court for the Northern District of California in December 1999, the lawsuit was filed in the name of the RIAA’s member record companies, and was filed against Napster and certain undetermined and unnamed individuals, namely Napster users. In the Complaint, plaintiffs state that “Napster is far more insidious than a typical pirate MP3 [web]site [which would simply store and share music files].”  Part of this insidiousness is due to the fact that it was extremely difficult to identify Napster’s individual users and therefore to name the alleged infringers. While the P2P term was not widely used and was not mentioned in its lawsuit, the RIAA realized the danger of allowing millions of songs to be copied and shared anonymously through a network allowing individual user computers to connect to each other in order to share data.

Ultimately, the RIAA was successful in its action against Napster due to the fact that, while its P2P network did not require it to keep all of its data in one place, it did require centralized servers in order to catalog all of the information residing on all of its individual users’ computers. When Napster was ordered by the court to shut down its servers, the lack of that centralized catalog also destroyed the ability of Napster users to continue using the P2P network.

P2P networking, and Napster in particular, had created a demand in computer users for the ability to share data (including music files), and while Napster was suddenly gone, the demand for its services still existed. Instead of trying to capture and harness the global music distribution network that Napster had created which relied on a managed, centralized computer server, one possible solution, the RIAA killed that network. In its place sprung up new networks that did not require the use of a centralized server. Thus, the RIAA effectively eliminated the lesser evil and, perhaps, paved the way for a greater evil.

G. Decentralized P2P: The Napster Alternatives

There are now many P2P file sharing systems with names such as Grokster, Morpheus, and Bearshare, each of which utilizes the “Gnutella” standard and which work, in one way or another, without requiring a centralized computer server to act as a database (as Napster did).  Instead, these systems, known as decentralized P2P systems, allow individual user computers to shoulder a small portion of the computing load in locating files and downloading files.  By doing this, the systems are able to essentially spread huge computing tasks out over thousands of computers, making complex tasks much more simple and manageable.

Because, using these new decentralized P2P systems, individual computers are able to connect directly, one to another, there is no centralized database necessary to identify and catalog songs.  And since users may connect to the network using different (but related) software programs, it is more difficult for someone such as the RIAA to identify and track the system’s users.  As a testament to the popularity of such P2P systems, the most popular of the Napster replacements, a service known as Kazaa, is reportedly the most downloaded computer program in history.  Not to be outdone by the RIAA, in July 2003, the company behind Kazaa announced plans to launch its own trade group in attempt to further the cause (and legitimacy) of P2P networking.

H. Substantial Noninfringing Use

While Kazaa and its P2P brethren have been targeted for legal action by the RIAA, because there are legitimate, legal uses for the file sharing systems, including the ability to allow users to transfer and share documents and files that are not copyrighted and which are not music files, recent court decisions have held that P2P software exists for legitimate purposes. In the case of Metro-Goldwyn-Mayer Studios Inc., et al. v. Grokster, Ltd, et al., currently pending in the U.S. District Court for the Central District of California, a federal judge granted motions to dismiss filed by defendant P2P software companies, stating that the defendants “distribute and support [P2P] software, the users of which can and do choose to employ it for both lawful and unlawful ends.” A similar decision in a 2001 lawsuit in the Netherlands against Kazaa determined that Kazaa was not responsible or liable for the infringing acts of its users, in part because the software itself could be used for legitimate purposes.

The reasoning used in the decisions upholding the validity of the P2P systems is analogous to the reasoning used in the landmark Sony Betamax case (Sony Corp. of Am. V. Universal Studios, 464 US 417 (1984)), the case which upheld the legality of Sony’s Betamax videocassette recorder on the basis that the recorders offered the opportunity for substantial noninfringing use, and the value of such noninfringing use outweighed the harm that could be caused by illegal uses such as video piracy. These types of legal setbacks for the RIAA and its member companies, while not legitimizing the sharing of music files, could give companies providing the software that enables the sharing of music files (such as Kazaa) a significant defense against copyright infringement actions levied against them. However, the battle is being fought by the RIAA on many fronts, and there has been no final (unappealable) word on the legitimacy of P2P file sharing systems.

I. The Battle For Control of Digital Music

The RIAA has taken a vigorous approach in its battle against digital music piracy, sending cease and desist notices to those parties it believes are offering copyrighted music available for download, whether via a P2P network or not. In fact, it has been so aggressive in its enforcement efforts that in May 2003, it had to send out retractions for notices of infringement sent out in error, including one notice erroneously sent to the astronomy and astrophysics department of Penn State University. It turns out that the department actually had no infringing files anywhere on its network.

One of the problems in the RIAA’s battle against music piracy is that, because there is apparently a huge population of music pirates who also happen to be computer users, their battle to protect copyrighted music may be a very difficult one. Thus, while there is certainly legitimacy to the RIAA’s interests (namely that its member companies are the legal owners of a vast number of copyrights) and therefore there is a right, under the law, to compensation, the technological means for piracy exists but the technological means for enforcement does not.  Until a viable security option is available which will allow the music files themselves to be protected in the same way personal information is protected, the distribution networks allowing the sharing and copying of such files will continue to exist and proliferate. At present, many data security methods have been investigated or are being developed to protect commercial music, but there has yet to be a system that the consumer market will accept which would still allow the record companies to retain control over their copyrighted material. On the positive side for the RIAA, it appears that consumers are, under the right circumstances, willing to pay for and use electronic music files, as demonstrated by the success of Apple Computer’s iMusic site, which sold over one million songs at ninety-nine cents apiece during its first week of business in May 2003.

The continued existence of systems such as P2P networks which make it easy for anyone to take and trade in the data (music or otherwise) of others may cause changes in the way music is sold and distributed or in the way data is secured and protected. As technology development races along at an ever faster pace, the law will struggle to keep up and try to find new ways of applying old laws to balance the rights and needs of consumers and businesses, copyright holders and the users of that copyrighted material. Future court decisions will likely help guide consumer behavior and the behavior of businesses such as record companies and the RIAA, but it is likely that the Napster battle was only the first of many battles.  With all of the many rapid advances being made in computer technology, when one side builds the better mousetrap, the other side can and will simply build the better mouse.


Francis J. Gorman is a partner and Michael S. Yang is an associate with the firm of Gorman & Williams in Baltimore, Maryland.