Intellectual property law is a thorny area. This is particularly so when it is combined with modern audio and video technology, which make it easy to collect enough trademark violations on a single laptop to exceed the budget of a small country in legal fines. If, like me, you've had the joy of explaining to users why they can no longer play on YouTube, you'll know how little the average employee knows about the finer points of the Copyright Designs and Patents Act and its partners in law.
Not that I'm an expert by any means; the law is a complex one and full of peculiarities. For example, it's permitted to copy a printed article for "personal research", but not to record a documentary for the same purpose. Online documents might be "documents" in copyright terms, or they might be "databases", which receive slightly different treatment. Contrary to popular belief, there's no "fair use" clause allowing you to transfer CDs on to iPods and other such devices. It's all thoroughly confusing, with the Act containing well over 100 separate clauses in often obtuse legal language.
The ready availability of computers powerful enough to convert audio and video into portable formats has upset the organisations that protect the interests of big-business copyright holders. In the US, the MPAA and RIAA, representing the motion picture and musical industries, have taken a hard line. There have been a number of prosecutions of private individuals for illegally downloading music. Given that both organisations claim the problem is still rampant, the effectiveness of these measures is doubtful.
In the UK, the BPI has followed suit, and hot on the heels of prosecutions have proposed that internet service providers should act on "tip-offs", processed by the BPI, to force offending users offline along the lines of "three strikes and you're out".
Indeed, the reports that Apple's iTunes now sells more music in the US than anyone other than Wal-Mart suggests that the legal download market is actually rather successful. A quick review of the "statistics" trumpeting huge losses due to downloads is an interesting exercise in what passes for evidence these days, with most of them extrapolated from unverified survey results. While it would be foolish to suggest that the illegal download market has not affected sales, it would be equally foolish to assume that every download has resulted in someone not buying a CD or DVD.
On the side of the file sharers, there are equally vocal groups that, in extreme cases, equate the use of intellectual property law with the emergence of a repressive state. The freely downloadable "Steal this film" documentaries (www.stealthisfilm.com) provide a good counterpoint to the MPAA and RIAA worldview. However, if you take some of their assertions at face value, the world will soon be awash with self-published material and traditional publishers will disappear. This seems both unlikely and undesirable.
So where does this leave the business user? The poor IT security guy has to face the wrath of angry users when they find out YouTube is blocked and they are not allowed to share their iPod collection over the network. More worrying is the influx of new employees to whom the idea of paying for intellectual property seems old-fashioned. Whereas most users understand that installing pirate software is a bad thing, many don't realise that using their work PC to manage their iPod is just as risky to the business.
Fortunately a review of the UK copyright law is in progress (you can read the initial results at http://tinyurl.com/2degdgmm). Among the proposed changes are permission for "personal use" format transfer to decriminalise the iPod community and improvements to the personal research clauses. A second review is planned before it becomes law, so I suggest you review the proposals and make sure your voice is heard.
Finally, remember that no amount of research will make a security person a lawyer, and there is no substitute for professional legal advice. Good legal advice isn't cheap, but it is usually very good value.
- Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org.