Problem solve Get help with specific problems with your technologies, process and projects.

Liability for P2P file swapping on a corporate network

Could an enterprise be legally liable for the presence of P2P file swapping clients on its network?

Yes, the entertainment industry is on the warpath against illegal file trading. Most notably, the Recording Industry Association of America is taking aggressive legal action against anyone directly or indirectly participating in unauthorized swapping of music. While RIAA has grabbed headlines by subpoenaing hundreds of colleges and ISPs, and suing hundreds of students and other individuals, it is also targeting private enterprises whose employees engage in illicit downloading.

On enterprise networks, software clients that facilitate file-trading through networks such as KaZaA are vermin that should not be tolerated. These are executable programs that will not be stopped by antivirus products or firewalls. Their presence on corporate or school IT resources exposes the organization to liability. Prudent managers will proactively monitor for these applications and eradicate them.

A legitimate enterprise doesn't intend to promote illegal file trading. But P2P networks for bootleg tunes, movies, software and the like are popular among employees, students or visitors. These users will install on enterprise resources client programs, such as KaZaA Media Desktop (KMD), that link with P2P networks.

Songs, motion pictures, music videos and software are protected under copyright laws, which normally forbid the exchange of unauthorized copies. The laws have teeth, as they are enforced with substantial monetary penalties. An enterprise cannot avoid liability by just ignoring what its IT users do in their spare time. The laws punish organizations that indirectly participate in copyright infringement, under theories such as contributory infringement and vicarious liability.

Contributory infringement occurs when someone knowingly contributes to someone else's infringement. Vicarious liability applies where an enterprise has the right and ability to control the activities of a direct infringer and also receives a financial benefit from the infringing activities. Under these two concepts, the owner of a flea market was held vicariously liable for the sale, by individual vendors in the market, of counterfeit copies of music CDs. [Fonovisa Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996)].

Applying the weight of this precedent, the RIAA forced a publicly-traded company in Arizona, Integrated Information Systems, Inc. (IIS), to pay $1 million to settle claims that it tolerated employee sharing of MP3 music files over its corporate server. [Lisa Bowman, "Labels settle at-work song-share dispute," CNET News.com April 9, 2002.]

Then in February 2003, pointing to IIS' punishment as an example of things to come, RIAA and the Motion Picture Association of America rattled sabers at corporate America. They dispatched letters to chief executives across the country warning that P2P file swapping could lead to legal action and the payment of stiff monetary damages.

None of Mr. Wright's statements on SearchSecurity.com are legal advice for any particular situation. If you need legal advice, you should consult a lawyer.

For more info on this topic, please visit these SearchSecurity.com resources:
  • Executive Security Strategies: Are P2P applications worth the risk?
  • Network Security Tip: Disconnecting desktops for network security
  • White paper: Keeping 'good' employees from doing 'bad' things on the Internet
  • This was last published in February 2004

    Dig Deeper on Real-time network monitoring and forensics

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.