Re: RIAA Moves Against College-Network Fileswapping

[Ken Shaurette <Ken.Shaurette () OMNITECHCORP COM>]

It is true that you should never have anything written in policy that you cannot or do not intend to enforce even if 
only with awareness and reminders that it breaks policy.  Having a policy and not consistently enforcing it raises 
penalties of itself and is loosely identified in Federal Sentencing Guidelines.
 
Not having policy does not protect against the law suit.  An organization could still be shown negligent if they had 
P2P or other violation of copyright laws occuring, were aware of it and did nothing to stop or discourage.  The act in 
and of itself is illegal, promoting (or not stopping) when made aware of the violation could be argued by a good lawyer 
as particpation in the act of committing the crime.  Could it also be argued that you should know your network and this 
type of use is very common so you should have a policy and enforcement measures to discourage?  
 
Your organizaiton is providing the resources to commit the crime whether you have policy against it or not.  Lending 
your car to a person you know is planning to use it to rob a bank does not remove you from liability of having 
particpated in the commision of the robbery.
 
Definition of a jury:  12 men and women who are your peers and determine who has the best lawyer.
 
Ken
Information Security Analyst and Security Solutions Manager
Omni Tech Corporation
(262) 523-3300 x486

        -----Original Message----- 
        From: Bruhn, Mark S. [mailto:mbruhn () INDIANA EDU] 
        Sent: Fri 4/4/2003 9:31 AM 
        To: SECURITY () LISTSERV EDUCAUSE EDU 
        Cc: 
        Subject: Re: [SECURITY] RIAA Moves Against College-Network Fileswapping
        
        
        This supports the notion that policies shouldn't be written unless they are necessary for specific situations, 
and unless the organization has the means and desire to enforce them.  This is one  of the reasons (though maybe not 
the most important) we don't have such a policy, and indeed this citation lends add'l credibility to how most of us 
operate in this area (reactive instead of proactive).
        M.
         
        -- 
        Mark S. Bruhn, CISSP 

        Chief IT Security and Policy Officer 
        Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu 
edu) 

        Office of the Vice President for Information Technology and CIO 
        Indiana University 
        812-855-0326 

        Incidents involving IU IT resources: it-incident () iu edu 
        Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 


        -----Original Message-----
        From: Robert Myles [mailto:mylesr () OHSU EDU] 
        Sent: Friday, April 04, 2003 10:23 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] RIAA Moves Against College-Network Fileswapping
        
        
        There is precedence for the suit against the institution, case was settled for 1.5 million last year in the 
southwest against a company that had a policy against download of MP3's and P2P software, new of a P2P server on their 
system that they did not get around to shutting down, and were found a fault for not following their own policy.  
Lawsuits always go for the deep pockets!!
         
        Robert Myles, CISSP
        Information Security Officer
        Oregon Health & Science University
        
        
        >>> tbm3 () CORNELL EDU 4/4/2003 4:44:03 AM >>>
        Great question, the answer of which may substantially depend on whether
        they followed DMCA registration and procedures.  Verizon did not, which is
        why RIAA subpoenaed them for user name.  If these schools follow "safe
        harbor" provisions of the DMCA, they should be immune from contributory
        copyright liability.  And even if they did not, there is language in the
        DMCA regarding ISPs which should go a long towards protecting them.  But
        still, these are $64,000 questions, becoming more costly by the minute.
        
        Tracy
        
        At 06:30 AM 4/4/2003 -0600, you wrote:
        >Do you feel this excludes them from turning a law suit against the college
        >network operators next?  Especially if they feel a college hasn't done
        >enough to discourage the activity?
        >
        >Ken M. Shaurette, CISSP, CISA, CISM, IAM
        >Omni Tech Corporation, www.omnitechcorp.com
        >(262) 523-3304
        >
        >         -----Original Message-----
        >         From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU]
        >         Sent: Thu 4/3/2003 9:06 PM
        >         To: SECURITY () LISTSERV EDUCAUSE EDU
        >         Cc:
        >         Subject: Re: [SECURITY] RIAA Moves Against College-Network
        > Fileswapping
        >
        >
        >
        >         Please note, the action is not against network operators, but users,
        >         students.  Attached is the RIAA letter concerning this
        > matter.  Tracy Mitrano
        >
        >
        >         At 08:56 PM 4/3/2003 -0500, you wrote:
        >         >For those of you that don't read slashdot -
        >         >
        >         >"The RIAA is taking action against college "Napster networks".
        > It's suing
        >         >four network operators, two at Renssalaer Polytechnic Institute,
        > one at
        >         >Princeton University, and one at Michigan Technological
        > University."..
        >         >
        >         >http://yro.slashdot.org/yro/03/04/03/2312220.shtml?tid=141
        >         >
        >         >If you have lots of p2p traffic on your network you might want
        > to touched
        >         >base with your general council, if you haven't already.
        >         >
        >         >Cheers -
        >         >
        >         >**********
        >         >Participation and subscription information for this EDUCAUSE
        > Discussion
        >         >Group discussion list can be found at
        > http://www.educause.edu/memdir/cg/.
        >
        >         **********
        >         Participation and subscription information for this EDUCAUSE
        > Discussion Group discussion list can be found at
        > http://www.educause.edu/memdir/cg/.
        >
        
        **********
        Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.
        
        ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be 
found at http://www.educause.edu/memdir/cg/. 

********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found 
at http://www.educause.edu/memdir/cg/.