It may often occur that works offered over the Internet, either by a service provider or its subscribers, is included within the copyright owned by a third party who has not sanctioned the works distribution. In some instances, a service provider may be liable for a copyright infringement using its service and systems. Access to copyrighted material without license is illegal in itself. It is analogous to receiving stolen property. The damage done through plagiarism and the deception it entails damages not just those involved, but also the entire information security community when it is one of our own.
Plagiarism can be no different to receiving stolen intellectual property .
What has changed is the ease and distances associated with the distribution of copied materials. The global Internet allows people to copy and distribute copyrighted works almost instantaneously anywhere in the world be this on a one-to-one distribution or using a shared P2P network. Intermediaries are involved as both the storage sites and the conduit.
Plagiarism varies in its extent. It goes from simply rephrasing the ideas of another without referencing your sources right through to the literal block copy of paragraphs of text and the theft of entire passages.
This literal copying is a form of fraud and theft. In some cases, the aim is not an accidental unacknowledged phrase but deception. The author wants to use the works of another as their own. In this “uniquely secretive form of theft” the author is asserting a level of skill, knowledge and expertise that they do not exhibit on their own. They are using the work and study of another to lift their own lack of ability.
Simon Caterson wrote  that “Plagiarists can only get away with stealing words while their victims remain in ignorance. As Christopher Ricks points outs, it is the intention to conceal that essentially distinguishes plagiarism from legitimate forms of literary appropriation, such as allusion: "the alluder hopes that the reader will recognise something, the plagiariser that the reader will not".”
Some, and this has been attributed to many individuals state that “to steal ideas from one person is plagiarism. To steal from many is research”.
This makes light of the damage that the fraud and deception of plagiarism causes, but more importantly, it detracts from real research. A good researcher uses the ideas of others, but also attributes the sources.
Further, plagiarism does not just hurt a nebulous idea of society and the copyright holder, it leads to liability for the hosting party in some instances. As a breach of copyright laws, the ICP [Internet Content Provider] or ISP can be found liable if they fail to act. This even extends to online journals and blogs.
For a party to be charged with a civil copyright infringement or media piracy in the US, the claimant needs to mutually prove each of the following:
- show ownership of the copyright work, and
- demonstrate that the other party "violated at least one exclusive right granted to copyright holders under 17 U.S.C. § 106".
The problems in Information Security
Plagiarism by “security professionals” and I use this term lightly in the wider sense as fraud is not professional, is of particular concern. It is one thing to forget to attribute an idea in a report that is written by the author and has not been simply block copied, but another altogether to pass the writings of another person off as your own.
The issue is that some people in the industry leverage the works of others coupled with external promotion to seem more than they are. We all suffer for this and in a field as critical as security, the costs can be disproportionate to the damage a single individual could seem to be able to create.
This topic is not new. Other writers have taken Gregory D. Evans, “author” of "World’s No. 1 Hacker" book to task for stealing vast blocks of other people’s work. Yet these people remain. Despite their frauds in passing off a level of expertise they do not actually possess, people trust these security doppelgangers.
Here in Australia, we have such a case as well. I wrote on this topic three years ago now. That did not stop this individual from promoting herself as more than she really is to the point where she has been awarded ICT professional of the year in Australia.
Ms Rattray in one example of her writings took the text of text from Erik Guldentops “Harnessing IT for Secure, Profitable Use” and block copied this into an article she professed to have written. This article was published in Insecure. An article by Jo Stewart-Rattray began on page 73 of issue 14. I had notified the publishers who had that article pulled as Ms Rattray had plagiarised it. The original copy is still available thanks to the nature of the web.
Ms Rattray’s feeble excuse for fraudulently stating the writings as her own was that she had planned to add a reference later. Really? Adding a reference when more than half the article has been stolen and fraudulently promoted as her own? For that matter, would not the adding of a reference have been better justified before publication? If you have been published for three months and have not made an attempt to update a document, does that not seem as if you have basically intended to fraudulently promote it as your own?
There are copyright issues with this level of plagiarism, but the true problem is the betrayal of trust.
People such as Ms Rattray and Gregory D. Evans promote themselves as experts. People trust them in what they say and implement solutions and controls based on a level of knowledge that these individuals do not actually have.
In the end, we all suffer when frauds are allowed to flourish. This fraud is a sign of dishonesty.
In these cases, we have to ask the question, do we really want to trust a person who would steal the works of another and pass it off as their own. They are dishonest, how can we place our trust in them?
Worse, in Ms Rattray’s case, she is a director of ISACA. In allowing her unethical behaviours, she tarnishes the reputations of all members of ISACA.
The legal issues with respect to copyright and piracy.
In the UK, copyright law is governed through the "Copyright, Designs and Patents Act 1988” (the “1998 Act”) and the ensuing decisions of courts. The Australian position mirrors that of the UK where protection of a work is free and automatic upon its creation and differs from the position in the US, where work has to be registered to be actionable. While some divergences may be found, Australian copyright law largely replicates the frameworks in place within the US and UK. The copyright term is shorter than these jurisdictions in Australia being the creator’s life plus 50 years whereas the UK has a term of 70 years from the end of the calendar year in which the last remaining author of the work dies for literary works. As co-signatories to the Berne Convention, most foreign copyright holders are also sheltered in both the UK and Australia.
The 1988 Act catalogues the copyright holder’s exclusive rights as the rights to copy, issue copies of the work to the public, perform, show or play in public and to make adaptations. An ephemeral reproduction that is created within a host or router is a reproduction for the intention of copyright law. Though, there appears to be no special right to broadcast a work over a network, a right is granted in Section 16(1)(d) to broadcast the work or include it in a cable program service. The notion of “broadcast” is restricted to wireless telegraphy receivable by the general public. Interactive services are explicitly excluded from the designation of “cable program service” (S.7 (2)(a)). A proviso making an individual an infringer of the act in the event of remote copying has been defined to encompass occasions where a person who transmits the work over a telecommunications system knowing or reasonably believing that reception of the transmission will result in infringing copies to be created.
The law contains provisions imposing criminal penalties and civil remedies for making, importing or commercially trading in items or services designed to thwart technological copyright protection instruments, and sanctions against tampering with electronic rights management information and against distributing or commercially dealing with material whose rights management information has been tampered with.
There are several legislative limitations on the scope of exclusive rights under UK law. Liability is also possible for secondary infringement including importing and distributing infringing copy prepared by a third party. The scope of the exclusive rights of the copyright owner is extensive enough to include an ISP or ICH that utilizes or consciously allows another to its system in order to store and disseminate unauthorized copies of copyright works. This situation would create the risk of civil action. A contravention could constitute a criminal offence if a commercial motivation for copyright infringement could be demonstrated.
The Australian High Court decision in Telstra Corporation Ltd v Australasian Performing Rights Association Limited imposed primary liability for copyright infringement on Telstra in respect of music broadcast over a telephone “hold” system. A large part of the decision concentrated on the definition of the diffusion right in Australia. It follows from this decision that if an ISP broadcasts copyright works to in the general course of disseminating other materials through the Internet, that diffusion is a “transmission to subscribers to a diffusion service” as defined by the Australian Copyright Act. It consequently emerges that an ISP may be directly liable for an infringement of copyright caused by that transmission under Australian common law for the infringements of its customers.
A determination as to whether a message using telecommunications is “to the public” will likely hinge on whether the message is made “openly, without concealment”  to a sufficiently large number of recipients. No case has attempted to quantify a specific cut-off point.
In Moorhouse v. University of New South Wales, a writer initiated a “test case” asserting copyright infringement against the University of New South Wales. The University had provided a photocopier for the function of allowing photocopying works held by the university’s library. A chapter of the plaintiff’s manuscript was copied by means of the photocopier. The library had taken rudimentary provisions to control the unauthorized copying. No monitoring of the use of the photocopier was made. Further, the sign located on the photocopier was unclear and was determined by the Court to not be “adequate”. The Australian High Court held that, whilst the University had not directly infringed the plaintiff’s copyright, the University had sanctioned infringements of copyright in that the library had provided a boundless incitement for its patrons to duplicate material in the library. Intermediaries are frequently in the same position as the University. They provide rudimentary monitoring of client infringements at best. In July 1997, the Australian Attorney-General published a discussion paper that proposed a new broad-based technology-neutral diffusion right as well as a right of making available to the public. This provides the position where direct infringement by users of a peer-to-peer (P2P) file-sharing network would be covered in Australian law in a manner comparable to the US position in both Napster and Grokster.
Mann and Belzley’s position holds the least cost intermediary liable is likely to be upheld under existing UK, US and Australian law. The positions held by the court in Telstra v Apra and Moorhouse v UNSW define the necessary conditions to detail public dissemination and infringement through a sanctioned arrangement. The public dissemination of music clips on a website could be seen as being analogous to the copying of a manuscript with the ISP's disclaimer being held as an inadequate control. It is clear that the provision of technical controls, monitoring and issuing of take down notices by the ISP would be far more effective at controlling copyright infringement than enforcing infringements against individuals.
Several cases have occurred in the US involving ISPs or other service providers that hosted copyright material made available to those accessing the site. A significant decision was made in Religious Technology Center v Netcom On–line Communication Services, Inc. The case involved the posting of information online which was disseminated across the Internet. The postings were cached by the hosting provider for several days, and robotically stored by Netcom’s system for 11 days. The court held that Netcom was not a direct infringer in summary judgment. It was held that the mere fact that Netcom’s system automatically made transitory copies of the works did not constitute copying by Netcom. The court furthermore discarded arguments that Netcom was vicariously liable. The Electronic Commerce (EC Directive) Regulations 2002 warrants that the equivalent outcome would be expected in the UK.
The US Congress has acted in response with a number of statutes by and large that are intended to protect the intermediary from the threat of liability. The Digital Millennium Copyright Act (DMCA) envelops the possibility of liability from copyright liability. The DMCA is prepared such that it exempts intermediaries from liability for copyright infringement whilst they adhere to the measures delineated in the statute. These in the main compel them to eliminate infringing material on the receipt of an appropriate notification from the copyright holder. These protections only apply to the US. With the globalization of service offerings and the introduction of cloud computing, extra-jurisdictional issues still arise. This makes it more critical that intermediaries act to ensure that they have created contracts that can be enforced and that they maintain a suitable monitoring regime.
The “fair dealing” exceptions provided in the copyright laws of the UK are a great deal more restrictive than the “fair use” exceptions held by the US. If the Netcom trial was held in the UK, it would have to deal with the explicit requirements of Section 17 of the UK’s 1988 Act that defines copying in a meaner that includes storage by electronic means. The act also includes provisions that cover the creation of transient or incidental copies. These provisions make it probable that the result in the UK would have varied from that in the US at least in the first instance. The inclusion of storage differentiates ISPs and ICPs from telephone providers aligning them closer to publishers. AN ISP or ICP could attempt to argue a similarity to a librarian over that of a publisher. The statutory provisions providing certain exemptions from liability for libraries under the 1988 Act and accompanying regulations are unlikely to apply to an ISP as the ability for a librarian to make copies is controlled under strict conditions. It is doubtful that these conditions could be met by either an ISP or ICP.
An ISP or ICP would rarely have complete (or even near complete) knowledge of the content held on their systems. In contrast, even the largest of libraries has a complete catalogue of the materials on its shelves. Both the common law of the UK and Australia divide defamation by publication into three classes. This includes the publisher who is strictly liable for publishing defamatory material. As the distributer of the material, they are presumed to know its content and are not at liberty to use the defense of innocent dissemination. Next are the subordinate publishers. These parties are also known as secondary distributors. The subordinates are liable for publishing defamatory material to a limited extent. The defense of innocent dissemination can be used if the party can demonstrate that they had no knowledge of the materials content. Lastly, there is the class of those who are not publishers and are not liable for publication.
If an ICP [Internet Content Provider] or ISP is to claim protection as a publisher, it is illogical to except the last class of defense to apply to them. In the first class, they are liable. This leaves only the option of claiming innocent dissemination as a secondary distributor. If it can be demonstrated that the ISP or ICP monitors the content they maintain in any way or that the content was brought to the attention of the ICP, this defense will fail. There are both similarities and differences between the UK common law and US defamation code. The US also creates three classes, primary publishers, secondary publishers (also called distributors) and parties who are not publishers. Primary publishers closely represent the UK common law class of publisher and do not receive protection through limited liability provisions in the Federal code. Secondary publishers do have some limitations as to the liability they can face. There are few cases that have considered the liability of ICPs. These have so far placed the ICP in the same place as authors of printed material. This approach does create interesting possibilities as can be seen from Macquarie Bank Ltd v Berg. This case involved an ex parte application for an injunction to restrain the publication of material. The intent was to stop publication via a Web site hosted in the US. The result was that New South Wales Supreme Court Justice Simpson declared:
“An injunction to restrain defamation in NSW is designed to ensure compliance with the laws of NSW, and to protect the rights of plaintiffs, as those rights are defined by the law of NSW. Such an injunction is not designed to superimpose the law of NSW relating to defamation on every other state, territory and country of the world. Yet that would be the effect of an order restraining publication on the Internet”
Modern peer-to-peer networks have separated the network from software with a decentralized indexing process in an attempt to defend themselves from an exposure to vicarious liability as in Napster. The methods suggested by Kraakman’s analysis of asset insufficiency , have led ICPs and ISPs to become judgment proof, thus restraining the effectiveness of sanctions even against the intermediaries. It seems natural to expect as the technology develops that it in practice will be so decentralized as to obviate the existence of any intermediary gatekeeper that could be used to shut down the networks .
The success of modern peer to peer networks has resulted in the content industry targeting those individual copyright infringers who use peer-to-peer networks to disseminate or download copyrighted material. Existing peer-to-peer networks and software permits the capture of sufficient information concerning individuals who attach to the network to identify the degree of infringement and possibly who is responsible . Recent advances to the P2P networking protocols have allowed users to screen their identity removing the ability for copyright holders to bring their claims to court . As copyright infringement evolves, it will become more improbable to expect a solution through prosecuting individual users.
This type of action is currently being fought in the EU with Danish ISP, Tele2, planning to fight a court order requiring it to block access to the Bit-Torrent website known as Pirate Bay. The ISP has cut off access to the site for its customers but other ISPs in Denmark are yet to receive letters requesting that they also prevent their users from accessing the website. The International Federation of the Phonographic Industry (IFPI) has stated that it plans to dispatch the letters this week (Feb, 2008).
Jurisdictional issues will play a large role in the determination of a case. The location of the plaintiff as well as the increasingly global nature of Internet commerce introduces a level of uncertainty to both the ISP and ICP as well as the author of information. It is insufficient for the ICP to consider the jurisdiction in the locality where they are incorporated in alone. Rather, it is necessary to also consider the possible range of jurisdictions from which clients of the ICP may operate. Some jurisdictions, such as Australia, seek to limit the reach of their influence. Other jurisdictions such as Florida in the USA have taken the opposite approach. Florida’s ‘Long Arm’ statute permits jurisdiction over those “engaged in substantial and not isolated activity” within the state. When comparing the approaches of the Florida and NSW state courts, we see a radically diffident approach to determining jurisdiction.
 “A plagiarism on them all” November 20, 2004 - http://www.theage.com.au/articles/2004/11/18/1100748128612.html
 The Australian Act is modeled on the 1956 UK Act.
 This does not include broadcasting or cable
 See also, UK Intellectual Property Office (http://www.ipo.gov.uk/), Australian Copyright Council Online Information Centre (http://www.copyright.org.au) and the US Copyright Office (http://www.copyright.gov/)
 See Queen’s Bench in Godfrey v. Demon Internet Ltd, QBD,  QB 201. The United Kingdom Parliament took no action to exempt Internet Intermediaries from liability after the court held that an internet service provider liable as the publisher at common law of defamatory remarks posted by a user to a bulletin board.
 Telstra Corporation Limited v Australasian Performing Rights Association Limited (1997) 38 IPR 294. The Majority of the High Court (with Justices Toohey and McHugh dissenting) upheld the Full Court that music on hold transmitted to users of wired telephones represents a transmission to subscribers over a diffusion service. The Court further unanimously held that music on hold transmitted to users of mobile telephones involves a broadcast of the music.
 Section 26 of the Copyright Act 1968 (Cth, Australia), the Australian Copyright Act.
 This decision has created apprehension amongst authors. E.g. Simon Gilchrist “Telstra v Apra –Implications for the Internet”  CTLR 16 & MacMillian, Blakeney “The Internet and Communications Carriers’ Copyright Liability”  EIPR 52.
 Ibid; See also Goldman v The Queen (1979), 108 D.L.R. (3d) 17 (S.C.C.), at p. 30. It would therefore appear that it 70 is the intention of the sender of the message which is determinative of the private or public nature of the message
  R.P.C. 151.
 This is similar to the findings in RCA Corp. v. John Fairfax & Sons Ltd  R.P.C. 91 at 100 in which the court stated that “[A] person may be said to authorize another to commit an infringement if he or she has some form of control over the other at the time of infringement or, if there is no such control, if a person is responsible for placing in the hands of another materials which by their nature are almost inevitably to be used for the purpose of infringement.”
  R.P.C. 151 “[A] person who has under his control the means by which an infringement of copyright may be committed - such as a photocopying machine - and who makes it available to other persons knowing, or having reason to suspect, that it is likely to be used for the purpose of committing an infringement, and omitting to take reasonable steps to limit use to legitimate purposes, would authorize any infringement that resulted from its use”.
 See Attorney-General’s Discussion Paper, “Copyright and the Digital Agenda”, July 1997 at 71. The goal of this paper was to indicate the method by which Australia could implement the international copyright standards agreed at the December 1996 WIPO meeting.
 A&M Records Inc v Napster, Inc 114 F Supp 2d 896 (ND Cal 2000) & A&M Records Inc v Napster, Inc 239 F 3d 1004 (9th Cir 2001); Metro-Goldwyn-Mayer Studios Inc v Grokster Ltd No.s CV-01-08541-SVW, CV-01-09923-SVW (CD Cal, 25 April 2003) ('Grokster') (available at www.cacd.uscourts.gov) & Grokster Nos CV-01-08541-SVW, CV-01-09923-SVW (CD Cal, 25 April 2003), 21-2.
 47 U.S.C. § 230(c)(1) (2004) (This sections details the requirements of the CDA that do not apply to ISPs).
 907 F. Supp. 1361 (N.D. Cal. 1995)
 See also, System Corp. v Peak Computer Co., F.2d 511 (9th Cir. 1993), in which it was held that the creation of ephemeral copies in RAM by a third party service provider which did not have a license to use the plaintiff’s software was copyright infringement.
 Statutory Instrument 2002 No. 2013
 The act states that an ISP must act “expeditiously to remove or to disable access to the information he has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network”. The lack of response from Netcom would abolish the protections granted under this act leaving an ISP liable to the same finding.
With some minor exceptions, other countries have also seen broad liability exemptions for internet intermediaries as the appropriate response to judicial findings of liability. The United Kingdom Parliament took no action after the Queen’s Bench in Godfrey v. Demon Internet Ltd, QBD,  QB 201, held an Internet service provider liable as the publisher at common law of defamatory remarks posted by a user to a bulletin board. In the U.S., §230 of the CDA would prevent such a finding of liability. Similarly, courts in France have held ISPs liable for copyright infringement committed by their subscribers. See Cons. P. v. Monsieur G., TGI Paris, Gaz. Pal. 2000, no. 21, at 42–43 (holding an ISP liable for copyright infringement for hosting what was clearly an infringing website).
In 2000, however, the European Parliament passed Directive 2000/31/EC, available at http://europa.eu.int/eur-lex/pri/en/oj/dat/2000/l_178/l_17820000717en00010016.pdf, which in many ways mimics the DMCA in providing immunity to ISPs when they are acting merely as conduits for the transfer of copyrighted materials and when copyright infringement is due to transient storage. Id. Art. 12, 13. Further, the Directive forbids member states from imposing general duties to monitor on ISPs. Id. Art. 15. This Directive is thus in opposition to the British and French approaches and requires those countries to respond statutorily in much the same fashion as Congress responded to Stratton Oakmont and Religious Technology Centres. Of course courts are always free to interpret the Directive or national legislation under the Directive as not applying to the case at hand. See, e.g., Perathoner v. Pomier, TGI Paris, May 23, 2001 (interpreting away the directive and national legislation in an ISP liability case).
Canada has passed legislation giving ISPs immunity similar to the DMCA. See Copyright Act, R.S.C., ch. C-42, §2.4(1)(b) (stating “a person whose only act in respect of the communication of a work or other subject-matter to the public consists of providing the means of telecommunication necessary for another person to so communicate the work or other subject-matter does not communicate that work or other subject-matter to the public”). The Canadian Supreme Court interpreted this provision of the Copyright Act to exempt an ISP from liability when it acted merely as a “conduit.” Soc’y of Composers, Authors and Music Publishers of Can. v. Canadian Assoc. of Internet Providers,  S.C.C. 45, 240 D.L.R. (4th) 193, 92. The court in that case also interpreted the statute to require something akin to the takedown provision of the DMCA. See id. at 110.
Pub. L. No. 105- 304, 112 Stat. 2860 (1998) (codified in scattered sections of 17 U.S.C.).
 907 F. Supp. 1361 (N.D. Cal. 1995)
  A Def R 53, 035.
 Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 380 F.3d 1154 (9th Cir.) (Refusing to find liability for Grokster even though it aided end-users in copyright infringement because the service. This case is fundamentally different than Napster), cert. granted, 125 S. Ct. 686 (2004).
This text explains that peer to peer networks have removed the intermediary on which copyright enforcement requires.
See Amy Harmon, Subpoenas Sent to File Sharers Prompt Anger and Remorse, N.Y. Times, July 28, 2003, at C1. See also Brian Hindo & Ira Sager, Music Pirates: Still on Board, Bus. Wk., Jan. 26, 2004, at 13. See J. Cam Barker, Grossly Excessive Penalties in the Battle Against Illegal File-Sharing: The Troubling Effects of Aggregating Minimum Statutory Damages for Copyright Infringement, 83 Texas L. Rev. 525 (2004).
Perversely, what probably has in fact reduced the frequency of copyright infringement is more crime: using P2P systems subjects a computer to the threat of viruses that are spread inside the files obtained. Wendy M. Grossman, Speed Traps, Inquirer (U.K.), Jan. 14, 2005, available at http://www.theinquirer.net/?article=20718 (last visited Jan. 15, 2005). Dissuasion has been the systematic effort by the recording industry to saturate P2P systems with dummy files that make getting the music a user actually wants quite difficult. See Malaika Costello-Dougherty, Tech Wars: P-to-P Friends, Foes Struggle, PC World, Mar. 13, 2003, at __ , available at http://www.pcworld.com/news/article/0,aid,109816,00.asp (last visited Jan. 15, 2005) (documenting the practice and attributing it to a company called Overpeer, which is apparently an industry anti-piracy company).
 See, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9062482&source=rss_topic17 and http://www.heise-online.co.uk/security/Code-injection-vulnerability-in-Adobe-s-Flash-Media-Server--/news/110115