On Location: Policy Enforcement: University of Florida Gainesville

For IT practitioners everywhere, UF's story is sure to touch off a debate that is as timely as it is timeless: How much network policing is too much?

Overnight Success

THERE'S NO DEBATE ABOUT ICARUS' EFFECTIVENESS. Before it was turned on, there were as many as 3,500 simultaneous violators at any given time on the Gainesville campus, school officials say. On the day the switch was flipped, 1,500 violators were caught. There were only 19 second-time violators and no third-time violators. Purged of the digital cholesterol of media files, the network saw an 85 percent drop in uplink data volume.

Since then, violations have slowed to a trickle. Another 500 or so have been caught for the first time, 150 for the second time and four for the third time. Only third-timers are formally charged with violating the terms of use, and their cases are sent to the campus judiciary.

The inventors of the software say it can be applied to any number of network threats and annoyances, including spam, worms, viruses, Trojan horses and denial-of-service attacks. In fact, even before it was applied to P2P traffic, Icarus controlled the Welchia worm by automatically quarantining infected computers, university IT officials say. The software is so good that a campus committee on licensing decided last month to apply for a patent and explore ways to commercialize Icarus (see "Is Icarus the Next Gatorade?" page 46).Icarus was born just as the recording and film industries started turning up the heat on college administrators to do something about the rampant copyright infringement occurring under their roofs. Nobody knows for sure what percentage of all P2P file swapping occurs on college campuses, but demographics and high-speed connections--often hundreds of times faster than home broadband service--make campuses a hotbed of P2P activity, experts say. UF students will soon get gigabit connections to the desktop, upgraded from 10- to 100-Mbps connections.

Contractors monitoring P2P networks on behalf of the RIAA (Recording Industry Association of America) and the MPAA (Motion Picture Association of America) are hunting down the most flagrant traders of copyrighted works on college campuses. In turn, the trade groups are sending thousands of complaints to college administrators every month.

College campuses have come up with a mix of technical and nontechnical answers. Most have simply throttled down the bandwidth devoted to file-swapping programs, using traffic-shaping tools from Packeteer and other network monitoring vendors. (For an explanation of how that works, see "Warding Off WAN Gridlock.") A straightforward and inexpensive approach, this method has other advantages over blocking P2P traffic completely: It's less likely to anger students, and it keeps campus administrators out of the copyright debate.

Some universities, including the Massachusetts Institute of Technology, have established no technical safeguards, only strengthening the wording of their policies on piracy. But most schools, even MIT, are complying with entertainment industry requests to identify users snagged by the RIAA and MPAA dragnets.

Still others have found creative ways to manage the flood of traffic generated by music and movie swapping. Stanford University caught heat two years ago when it set up a server to manage requests for music files on the popular Gnutella file-sharing service. The IT department's goal was to cut down on requests leaving the campus by directing queries internally, to PCs in the dorms, thus easing the strain that music files were placing on external links to the Internet. But the MPAA complained that the server effectively handed students a tool to violate copyright laws, and the university shut it down after six months, recalls Richard Holeton, Stanford's head of residential computing.Now Stanford relies on traffic shaping alone; the university has no plans to impose additional restrictions. There's "nothing illegal" about using the protocols associated with P2P file sharing, says Holeton, who calls UF's policy draconian.

"To me, to use any kind of network-management tool to identify somebody who might potentially be doing something is kind of Big Brotherish," Holeston adds. "It's like pulling over everybody on the highway who is driving a certain kind of car that could potentially be breaking the law, and giving them a ticket."

Says Fred von Lohmann, a senior staff attorney at the Electronic Frontier Foundation: "If John Ashcroft asked us to do this, we'd be crying foul, but the recording industry does it and we roll over."

A spokesman for the RIAA wouldn't disclose how many universities have been subpoenaed for names of students, but he did say, "Virtually every university has complied."

Post a comment or question on this story.

ROBERT BIRD, COORDINATOR OF NETWORK SERVICES in UF's housing division and the lead developer of Icarus, counters that the program was not developed to enforce copyrights. Rather, it was conceived as a way to enforce a ban on servers operated out of dorm rooms. The IT staff was already monitoring such activity manually, by examining log files, but the process was laborious and reactive. Icarus automates the collection and analysis of log files contained in the university's routers, switches, firewalls, port scanners and intrusion-detection systems. It also dynamically enforces the no-server policy by issuing a pop-up warning on the user's desktop and shutting down Internet access until the user complies with campus policy, Bird says.UF's no-server policy has been in place for six years. School officials were concerned that some students would use their high-speed connections to run commercial Web sites. The policy is not uncommon for campuses that run separate network operations for housing, as UF does, Bird says. Many Internet service providers also prohibit the use of personal broadband connections for Web serving and other applications that demand high-speed uplinks.

Since Icarus went live last September, only three of the 7,500 students living on campus, most of them freshmen, have asked to be exempted from the no-server rule, and those requests were granted, Bird says. In all, there are fewer than a dozen exceptions to the rule campuswide. (No exceptions have been granted for P2P software use, but users can still activate P2P-sharing sessions on the academic and wireless networks, because Icarus isn't used there.) The low number of exemption requests shows that while there are clearly legitimate uses for on-campus servers and maybe even P2P file-sharing applications, those instances are rare. Bird contends that the policy is not as heavy-handed as critics suggest.

But some network administrators at other schools say it's contrary to a research university's mission to prohibit servers. One admin points out that when David Filo and Jerry Yang set up a Web server in a Stanford dorm room a decade ago, it became Yahoo. Bird sees it differently. "If 85 percent of your bandwidth is wasted on trivial activity, you can't get legitimate research done," he says. "We simply don't have the spare bandwidth." Before the launch of Icarus, Bird says he often received complaints from dorm residents who couldn't download video of their classes because of network congestion.

Others object to Icarus on the grounds that it doles out punishment without due process. "If your computer starts a file-sharing event, there is an automatic punishment levied against you in that your connection is terminated," says Chris Hoofnagle, associate director of EPIC (Electronic Privacy Information Center).

In a way, that's exactly what UF's administrators were hoping for. Before Icarus, Bird was sending about 1,000 cases of copyright violations to the campus judiciary every semester. Since Icarus went live, the campus judiciary has had to process cases against only the four third-time violators. Bird says he actually protects students from lawsuits, because he stops their illegal activity before the RIAA or MPAA discovers they are active P2P users.UF campus officials say Icarus helps them educate students about copyright infringement and their responsibility as network citizens. Weeks before the software was turned on, school officials blanketed the campus with warning flyers. "This is better than just turning them over to the authorities or disciplining them outright because there is still a lot of misunderstanding about it," says J. Michael Rollo, vice president for student affairs.

Icarus has the added benefit of keeping network costs--and, by extension, student fees--low, Rollo says. "We've got to keep in perspective what it costs to run this network, and make sure we can get video of the next economics lecture to the desktop," he says.

Outside Pressure

COPYRIGHT INFRINGEMENT MAY NOT HAVE BEEN THE REASON Bird and his co-worker, Will Saxon, developed Icarus, but to some administrators, stopping piracy was as much of a goal as freeing up bandwidth.

Pressure from outside the campus was clearly mounting last spring as the software was being developed. At that time, Norbert Dunkel, the director of housing and residence education and Bird's boss, was appointed to a committee investigating the impact of P2P file sharing for the ACUOI (Association of College and University Housing Officers International). Also, in April, Kathy Bergsma, the university's information security manager, received a record 73 complaints from the entertainment industry that UF students were illegally distributing copyrighted works. Those complaints would be handed off to Bird to investigate, and Bird would then turn over his findings to the campus judiciary.Most college campuses appoint someone like Bergsma, usually a data security administrator, to field complaints under the Digital Millennium Copyright Act. The DMCA, passed by Congress in 1998, updated U.S. copyright laws to address issues such as fair use, service-provider liability and the circumvention of digital copyright protections.

"We love Icarus because it reduced our workload tremendously," Bergsma says. She has received no DMCA complaints about dorm residents from the entertainment industry since Icarus was turned on, though she still receives some complaints about users on the academic and wireless networks, where Icarus is not in use.

Sandy Senti, Bergsma's DMCA counterpart at Stanford, stops short of endorsing Icarus, even though it would ease her workload. "There's a very fine line we walk between fostering innovation and ensuring that people are doing the right thing," she says.

Only a handful of students came in to UF's campus housing office to complain after Icarus was turned on, Dunkel says. He thinks the outcry wasn't louder because most users recognized that what they were doing was indefensible. Those who did complain were mostly concerned that campus administrators were looking at the content of downloads. But Bird assured those students that he didn't need to see the content to identify the traffic as P2P.

Privacy isn't the only beef among critics. Hoofnagle of EPIC is concerned that UF is inhibiting student expression simply by demonstrating an ability--and willingness--to tie computer activity to end-user identities. "It's important that students not feel like they're being monitored," he says, "so that they're willing to explore ideas that might be controversial."UF'S STUDENT NEWSPAPER, THE INDEPENDENT ALLIGATOR, has called Icarus "invasive," "annoying" and "evil." The paper advocates a policy more like the one at Penn State University, where students can listen to all the music they want, using the relaunched (and now commercial) Napster service. Penn State pays Napster an undisclosed sum on behalf of students for a so-called tethered music service, and those fees are passed along to students as part of a $160 annual technology fee, says Russell Vaught, Penn State's associate vice provost for information technology.Users of tethered music services download recordings and pay a kind of rental fee for the copyright. In order to keep the music when they are no longer Penn State students, users can choose to take over the monthly payments for the tethered service or convert to perpetual rights by paying either 99 cents per song or $9.99 per album.

Penn State operates a local cache for Napster downloads, so only about 10 percent of them come from outside the campus, Vaught says. And because the service uses commercial-grade servers and compression, Napster downloads are far leaner than those using Kazaa. Tracks that can take as long as 20 minutes to download over Kazaa take less than a minute on the campus service, Vaught says. In the end, while Penn State isn't eliminating music downloads as UF is, the activity places only a light burden on the network, he says.

As for Icarus, more than 100 universities have quietly expressed interest in the software. The University of Arizona has agreed to beta test the software when UF releases the code in the spring, says Ted Frohling, UA's principal network systems analyst. Until that time, the university is relying on traffic shaping. IT gives P2P traffic a low priority rating between 7 a.m. and 5 p.m. but places no restrictions at other times.

Still, the UA campus attorney's office has decided that the university will not chase down students for suspected copyright violations, though it will act on complaints from the RIAA and MPAA. Campuses with this type of policy generally believe that if they routinely police their networks, they will subject themselves to legal action under the DMCA, which states that campuses must stop any infringement they know about.

P2P Off-CampusIT'S UNCLEAR HOW MANY COMMERCIAL Internet service providers will want to follow UF's lead and restrict the use of their networks for P2P file exchanges. Several big and small ISPs contacted for this story say most of their services provide dedicated bandwidth that isn't affected by the loads other customers place on the network, so they have no reason to regulate use.

But that's not the case for cable operators, whose share of the broadband market is growing rapidly. Users of Internet-over-cable share their bandwidth with their neighbors, and the commodity pricing, usually under $50 per month, is based on the assumption that users won't hog bandwidth. Data-transfer rates explode as more subscribers set Kazaa and other P2P file-sharing programs to download large media files all day in the background. As transfer rates increase, cable providers have a choice: Increase capacity to accommodate the growth, or set limits on the total transfer rates allowed per month or on the use of specific protocols such as those inherent to P2P file-sharing services.

"It's like electricity: If one person is melting down the power grid, shut that person down," says John Pescatore, a data security analyst at Gartner.

Cable operators can cite other reasons to closely monitor user activity. Some experts estimate that as much as 70 percent of the traffic on cable data networks is generated by spam and viruses. As much as they would love to rely on Microsoft and other software vendors to fix these problems, cable providers can't afford to wait.

At least one cable operator has begun to crack down. Comcast measures the amount of bandwidth each subscriber consumes; those who use "excessive" bandwidth are warned that they are violating the terms of service and abusing their user privileges. Comcast is also one of the providers that agreed to divulge the identities of users suspected by the entertainment industry of copyright infringement. Other such providers include BellSouth, EarthLink, Time Warner Cable and Verizon.Experts agree that Icarus and programs like it will have to adapt as the architecture of Web applications evolves. In fact, Fred Cohen, an analyst at the Burton Group, calls Icarus unexceptional as a new technology. By relying on unique traffic patterns to identify types of data traffic, it will always be susceptible to illicit network activity designed to look like legitimate traffic, true to the fundamentals of computer science.

Even Tom Temple, the MPAA's director of Internet enforcement, agrees that the ability to monitor file transfers will get harder as more Web applications take on P2P characteristics. The latest Apple operating system makes a Macintosh a Web server right out of the box. "You can open it up as an FTP server and share your hard drive; that is a form of P2P," he says. Also, the latest version of AOL Instant Messenger permits direct, PC-to-PC transfers of files, including copyrighted works.

Whether Icarus and similar programs endure as a solution to the P2P problem or any number of other network nuisances, it will be up to network administrators and their employers to determine where the line should be drawn between innovation and automated network enforcement. That debate has only just begun.

DAVID JOACHIM is editor of the NETWORK COMPUTING Enterprise Architecture Group. Write to him at [email protected].

Post a comment or question on this story.

OUR FIFTH "ON LOCATION" documentary-style case study takes us deep inside Dixie, to the University of Florida, Gainesville. UF is the envy of many rival colleges, and not just because of the Gators' winning football record. Lately, it's the IT department's homegrown P2P-blocking software--dubbed Icarus, for Integrated Computer Application for Recognizing User Services--that's been garnering attention. A collection of PERL scripts, Icarus culls data from network-monitoring tools and zeroes in on traffic patterns that resemble P2P transfers. It then automatically limits offending end users' access to the internal campus network only. The students must stop using the P2P software to regain Internet access.We'll look at the team that developed Icarus and some possible uses beyond the university's borders. We'll also address the question: When does prudent network management cross the line to draconian network micromanagement? Past On Location Packages:

Robert Bird: Coordinator of Network ServicesAt Work: Responsible for the design and management of the University of Florida (UF) housing network

At Home: 28 years old. Single, no children. Hobbies include modifying and racing cars, mountain biking, and traveling

Alma Mater: UF, B.S. in mathematics

HOW HE GOT HERE:

1997 to present: Coordinator of network services, Univerity of Florida (UF)1996 to 1997: Network security analyst, Institute of Food and Agricultural Science, UF

MOUTHING OFF:

What I say to critics of P2P blocking: "Why don't you oppose blocking denial-of-service attacks?"

Most surprising student response to a P2P warning: "I thought it was OK to use for movies, because the RIAA doesn't sue for those."

If I only had a bigger IT budget, I would: "Give some very hardworking people well-deserved raises and hire additional helpdesk staff."I work at UF because: "They take technology and security seriously, while encouraging research and a progressive work environment."

The most misunderstood aspect of my job: "That I make value judgments about appropriate content."

Greatest business challenge: "Dispelling the assertion that restricting application access is philosophically different from imposing limits on heavy application bandwidth."

I love technology when: "It's elegant and seamless."

I hate technology when: "It's bloated, carelessly conceived and seeks to trick users into unnecessary dependencies."My next career: "Biotechnology research."

When I retire, I will: "Travel the world."Norbert W. Dunkel: Director of Housing and Residence EducationAt Work: Oversees housing for more than 9,000 student residents, supervises 750 full- and part-time employees and manages a $33 million operating budget

At Home: 47 years old. Married, one son. Hobbies include collecting astronaut memorabilia and invertebrate fossils

Alma Mater: Southern Illinois University at Carbondale, M.S. in higher education, B.S. in geology

HOW HE GOT HERE:2000 to present: Director of housing and residence education, UF

1988 to 2000: Assistant, then associate director for staff and student development, UF

1985 to 1988: Assistant, then associate director for student housing, South Dakota State University

1981 to 1985: Residence hall coordinator, University of Northern Iowa

MOUTHING OFF:What I say to critics of P2P blocking: "As the operator of a high-speed Ethernet system, we must provide good stewardship based on the lawful use of our system, as well as the economic stability to maintain the system."

Most surprising student response to a P2P warning: "I knew it was wrong since I was a freshman in high school. I just didn't think anyone would catch me."

The most misunderstood aspect of my job: "That I can control the behavior of 9,000 on-campus residents 24 hours a day."

Chief difference between UF and other universities: "We have the most engaging, involved, participative group of students that I have experienced at any campus."

Why Icarus is UF's next Gatorade: "People are starting to recognize that Icarus is not a tool for mitigating P2P file sharing, but a unique tool for network management."When I retire, I will: "Enjoy traveling with my wife to places I have dreamed and read about with total disregard for schedules and timeframes."J. Michael Rollo: Vice President for Student AffairsAt Work: Responsible for Student Union, housing, counseling center, financial aid, career center, dean of students and overseeing all aspects of student life issues

At Home: 52 years old. Married, three children. Hobbies include music and computers

Alma Mater: UF, Ph.D. in educational leadership, Ed.S in counselor education, M.Ed in counselor education, B.S. in secondary education

HOW HE GOT HERE:

2000 to 2003: Associate vice president for student affairs, UF1988 to 2000: Associate dean of students, UF

1980 to 1988: Director of student judicial affairs, UF

MOUTHING OFF:

What I say to critics of P2P blocking: "UF will support the enforcement of the law."

Most surprising student response to a P2P warning: "No one is surprised that they are being held accountable."If I only had a bigger IT budget, I would: "Pay better salaries to a very dedicated staff."

I work at UF because: "It is a great university in a great town."

The most misunderstood aspect of my job: "Defining the role of student affairs in the context of a university."

Greatest business challenge for UF: "Using limited resources to provide quality services to students."

Chief difference between UF and other universities: "Size and complexity."Why Icarus is not UF's next Gatorade: "Technology is continuing to change so rapidly that it will be more challenging to distinguish Icarus in the market."

I love technology when: "The user can depend on it."

I hate technology when: "It is poorly designed or causes harm to us."

When I retire, I will: "Work at a summer camp in Maine."The University of Florida has big plans for Icarus, its homegrown software best known for stamping out peer-to-peer file sharing among thousands of students on campus. University officials are developing a plan to commercialize the software.

That's right, the people who brought you Gatorade some 35 years ago and eventually sold the rights to a private company have similar visions for Icarus. The university is already pursuing a patent and will decide shortly whether to license the rights to a vendor or create a new company to market it.A handful of developers will be hired to help Robert Bird, the lead developer of Icarus, turn his invention into a product that can do more than automate the enforcement of network policies. Bird thinks he can program Icarus to take information from a limitless number of network-monitoring tools, analyze the data, and automate both the containment of worms and viruses and the blocking of various network attacks.

The first task will be to convert the kludgy software, essentially a collection of PERL scripts, into a Java application. Bird also will bring in consultants to help design a commercial-grade user interface. Later, technicians may be hired to provide customer support.

Icarus resembles some features of commercial intrusion-prevention software from the likes of NetScreen Technologies, Network Associates and TippingPoint Technologies. These tools can identify and block certain protocols on the network, according to our technology editors, who have tested these products in NETWORK COMPUTING's Real-World Labs®. Other vendors, such as Mirage Networks, Wholepoint Corp. and even Cisco Systems, have come up with ways to stem the spread of worms and viruses at the switch level.

Bird acknowledges the similarities, but notes that Icarus operates at a layer above these products and is flexible enough to work with all kinds of network-management and monitoring tools. (For technical details, see "An Intelligence Convergence?" page 60.)

Apart from the commercial product, Icarus may also be made available at reduced prices or as an open-source project for nonprofits and colleges, Bird says."We want to make it extremely friendly to them," he says. "We're not looking to profit from nonprofits."

Before the commercialization of Icarus became university policy, several top officials from IT and other departments indicated they would have preferred to see Icarus become an open-source project rather than a commercial one.

"I think our goal as an educational institution is to provide for the better good," says J. Michael Rollo, vice president for student affairs. He fears that attempting to commercialize Icarus could prove futile in the hypercompetitive world of technology. "This tool may be the best one of its kind right now, but as you know, in technology five minutes from now there is something else out there."

Post a comment or question on this story.