Universities in the US have been deeply burdened by the Higher Education Opportunity Act that President Bush signed into law last year. In particular, the Act require that “schools ensure they are doing all they can to combat illegal file sharing among students. The new rules, according to the wording contained in the legislation, requires institutions to develop plans to “effectively combat the unauthorized distribution of copyrighted material, including through the use of a variety of technology-based deterrents.” Schools must also “to the extent practicable, offer alternatives to illegal downloading or peer-to-peer distribution of intellectual property.” Any institute found to be non-compliant could lose federal funding” (Source).

To combat unauthorized distributions, technological solutions such as bandwidth shaping and traffic monitoring need to be implemented. Such solutions need to be integrated with advanced DMCA response practices. Of course, some of the companies that are being courted to meet these demands are those that incorporate DPI into their copyright ‘solutions’. I’ve discussed, generally, how these technologies work on campuses from iPoque’s position when writing about one of the company’s whitepapers. In that post, I wrote,

In essence, ipoque argues that educational institutions should consider deploying DPI to limit their students from consuming bandwidth for infringement purposes, where that bandwidth is needed for other university business. This is an effort to normalize DPI by ‘teaching’ the educated elite that filtering is permissible even in educational environments. If such activities are permissible in a space of academic freedom, then surely filtering practices are permissible outside of these special environments!

The attempts to lean on schools to ‘regulate’ their students is a mode of governance meant to instill a particular, very American, conception of intellectual property and copyright into the hearts and minds of university students. Given the broad implications of American attitudes on these subjects, as well as on the topics of cultural growth and free speech, IT departmentsshould not be the business of deciding whether DPI should come to campus; students and faculty members who are indebted to academic freedom and best able to understand the implications of wide-spread filtering of Internet content should have the first, and final, say about whether these network appliances are permitted onto campus grounds.

I stand by my worry that pervasive analysis of students’ data transfers threatens to normalize persistent analyses of all data traffic, though in this case there is a federal directive that universities are (effectively) obliged to ‘teach’ students that copyright infringement is a ‘serious’ offense. Long-term normative effects may be felt, though this assumes that students won’t quickly find ways to evade any DPI-based solution. Some methods of evasion might include using P2P systems that have proxy-capabilities baked into the systems to obfuscate destination and origin IPs while simultaneously encrypting traffic. Given that students are often at the forefront of counter-surveillance movements (when they impede activities they want to engage in) and the growing ease of using highly sophisticated P2P programs, I have real doubts that it is even possible for network admins to actually limit P2P should intrusive monitoring systems be adopted.

I really see a few things emerging from this act, widely, across American universities:

1. Money will be spent on anti-infringement technologies. Most technologies will be unsuccessful in stopping infringements, but will let schools continue to receive federal funding.
2. Students will quickly find ways around the technologies that have been deployed, effectively nullifying the effectiveness of these technologies.
3. As a result of how students get around these technologies, these same students might ‘get used’ to the idea that all of their data is analyzed and learn just how easy it can be to encrypt and proxy their traffic.

While some might see #3 as a positive (Christopher Soghoian has written about this some in the context of DPI), I worry that this just extends to ‘encryption wars’ that have been ongoing for the past two decades or so without actually addressing the social issues at hand. Do we really want to live in a world of such persistent surveillance? While some people might claim that they have nothing to hide, this doesn’t mean that you trust everyone or that you are willing to disclose how you operate to devices that are not, and will likely never be, perfectly accurate. 70-90% accuracy is great…until you need to spend thousands or millions of dollars to clear your name from an incorrect copyright infringement charge.

It really seems that America (and Canada too, for that matter) must think about surveillance from an ethical, rather than just a legal, framework. Fair Information Principles (FIPs) will ensure that companies meet certain criteria for engaging in surveillance, but do not necessarily ask whether or not they should be engaging in particular kinds of surveillance in the first place. The legal discussion is helpful, but not sufficient, if we’re to genuinely engage with and challenge some of the uses of data analysis/surveillance systems.