Re: DMCA subpoenas have arrived . . .

[Tracy Mitrano <tbm3 () CORNELL EDU>]

Excellent question, Eoghan.

I agree with your evaluation.  Nothing of which I am aware in law generally
requires the retention of netflow data unless specifically required by
compulsory legal papers such as a subpoena addressed to particular case,
traffic and data.

As everyone knows, but it is worth repeating, it is up to the institution
to determine the amount of netflow data needed for full back up and
maintenance operations and then whether, on top of that time, they want to
preserve for any other institutional/network purpose.  Many institutions
have conducted those studies and then decided to maintain only up to that
date.  There is no magic number for any one campus; one might only
recommend that the amount of time is a self-conscious decision on the part
of IT, libraries, legal counsel and any other relevant stakeholders in the
matter.  It is true that if you have it, it can be subpoenaed, and I would
never recommend, a la contemporary cases we all know about, attempting to
delete data once a specific case either looms (for example, if issued with
these kind of subpoenas) or is filed. Better to think out the
strategy/operational policy well in advance of a specific "case or
controversy" involving your campus.

Congratulations on your position with EDUCAUSE, and for providing me with
the opportunity to attach the aforementioned draft policy which I forgot to
attach before!

Best, Tracy

At 01:25 PM 7/16/2003 -0400, Eoghan Casey wrote:
> Tracy,
>
> I am wondering about the liability associated with failing to preserve
> logs that are known to contain related evidence. For instance, suppose that
> NetFlow logs are collected routinely for all Internet traffic but are also
> routinely deleted after a certain period. In your opinion, does an IT
> department have a legal responsibility to prevent those NetFlow logs from
> being deleted when one of these subpoenas is received even if the subpoena
> does not include a preservation request?
>
> My initial sense - if nobody asks for those NetFlow logs to be preserved,
> the IT department is not required to take the initiative. However, I am
> wondering if there are negligence/due diligence issues.
>
> Eoghan Casey
>
> Tracy Mitrano wrote:
>
> > Dick,
> >
> > I cannot answer those questions specific to incidents at other schools, but
> > I would like to share the draft compulsory legal papers policy we have in
> > process at Cornell (spurred on by Patriot Act) for proper funneling of such
> > documents to the appropriate offices.
> >
> > May I also share a question that has come up in private correspondence:
> >
> >          Question:  Should the IT department do any extra investigation
> > into the matter, for example the netflow traffic relevant to the subpoenas?
> >
> >          Answer: My $.02: no.  I would not do any additional
> > investigations.  The institution does not owe that information to the
> > requester; if the alleged defendant wants it, he or she can subpoena the
> > information themselves.   Also, the more information provided, the more the
> > likelihood that it may cross over into an "educational record."  Wouldn't
> > that be an irony:  schools try to comply and then find themselves being
> > faced with a FERPA violation!
> >
> >          Any further defenses/evidence will be conducted by the parties, in
> > court.  I would strive to keep our academic institutions as far out of the
> > process as possible, while still complying with the law.
> >
> > I hope that helps folks.
> >
> > Also, I have received calls from journalists looking for schools that have
> > had subpoenas.  I have provided no names of specific schools.  The most
> > recent is from Katie Dean at Wired.  If anyone would like to talk with her
> > about such experiences, her number is 415-276-8501.
> >
> > Hope that helps!
> >
> > Tracy
> >
> > At 03:54 PM 7/14/2003 -0500, Dick Jacobson wrote:
> > >On Fri, 11 Jul 2003, Tracy Mitrano wrote:
> > >
> > >I saw the question but have not seen an answer ..
> > >
> > >How were these served ??  On the President ?  On the DMCA Agent ?  On
> > >someone else ?
> > >
> > > > Hi Jack,
> > > >
> > > > My sympathies to your school, although it is only a matter of
> "there but
> > > > for the grace of god go we", i.e. a matter of time, before we all
> face this
> > > > matter.
> > > >
> > > > We are here at the EDUCAUSE/Cornell Institute for Computer Policy
> and Law
> > > > and have talked extensively about this issue.  First we have
> learned that
> > > > you are not alone. I believe that Northwestern has also received some
> > > > "Verizon" type subpoena, and I think I have heard of some more.
> > > >
> > > > After the circuit court decided the case on Verizon I have pushed
> hard on
> > > > this issue by querying anyone and everyone whom I believed had
> expertise in
> > > > this area.  Recognizing the legal posture of this issue, I have
> focused on
> > > > the question of whether there is a policy response that higher
> education
> > > > might want to give based on some very general principles of "academic
> > > > freedom" or "the spirit of FERPA."   My conclusion is that none of
> these
> > > > arguments are adequately tenable as a legal matter.  Given the
> totality of
> > > > circumstances and including the fact that higher education should
> not be in
> > > > the business of protecting flagrant offenders of federal law, upon
> > > > ascertaining that the subpoena is in proper legal order, campuses
> should
> > > > comply.
> > > >
> > > > The next issue is whether to inform the individual whose name is
> > > > requested.  FERPA requires such notification unless the subpoena
> > > > specifically restricts that the institution do so.  Whether the
> name is an
> > > > "educational record" is questionable, however, and probably not,
> but nor
> > > > does it appear that the subpoenas specifically restrict notification
> > > > either.  It is up to the institution, and the only thing I would
> recommend
> > > > is that institutions figure out in advance:
> > > >
> > > > (1) its routing of legal papers protocol;
> > > > (2) compliance procedures;
> > > > (3) whether the institution will notify the individual and
> > > > (4) how to do so appropriately.
> > > >
> > > > Please, everyone, keep us posted!
> > > >
> > > > Tracy
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > At 06:21 PM 7/9/2003 -0500, you wrote:
> > > > >Good evening
> > > > >
> > > > >I want to let you know that we at Loyola Chicago have received our
> first
> > > > >subpoena issued on behalf of the Recording Institute Association of
> > > > >America (RIAA) accompanied by a DMCA notification of copyright
> > > > >infringement.
> > > > >
> > > > >Are we alone here on this?
> > > > >
> > > > >The subpoena delivered by a process server in person directed that the
> > > > >University provide the names, addresses, telephone numbers and e-mail
> > > > >address, of persons assigned to a specific IP address.
> > > > >
> > > > >After discussion with our colleagues in student affairs and general
> > > > >counsel, we opted to comply with the subpoena and to send an
> e-mail to the
> > > > >persons assigned to the IP address (indicated in the subpoena)
> advising
> > > > >them about the DMCA notice of copyright infringement and about
> subpoena --
> > > > >after checking to see whether the persons involved (who are students
> > > > >currently enrolled in our summer session) had placed a hold on the
> release
> > > > >of their directory information.
> > > > >
> > > > >Regarding students who have placed a hold on the release of their
> > > > >directory information we still plan to advise the student but give the
> > > > >student time to contact the counsel for groups such as RIAA to
> contest the
> > > > >subpoena.  We will need to contact the counsel to request additional
> > > > >time to enable us to comply with the subpoena.
> > > > >
> > > > >I expect that this is the beginning of a new campaign by groups
> such as
> > > > >the RIAA to deal with students making available copyright
> materials on the
> > > > >Internet using the university network resources.  I had
> anticipated this
> > > > >action after the announcement of the Verizon decision but not so soon.
> > > > >
> > > > >
> > > > >As I had asked at the beginning of this note, are we alone?  If
> not, what
> > > > >has been your experience?
> > > > >
> > > > >Ciao!
> > > > >
> > > > >Jack
> > > >
> > >
> > >--
> > >
> > >-----------------------------------------------------------------------
> > >Dick Jacobson                   e-mail : Dick.Jacobson () ndsu NoDak edu
> > >ND HECN MultiUser Host SysAd    office : IACC 206, NDSU
> > >NDUS IT Security Officer        phone  : 701-231-7385
> > >-----------------------------------------------------------------------
> > >
> > >**********
> > >Participation and subscription information for this EDUCAUSE Discussion
> > >Group discussion list can be found at http://www.educause.edu/memdir/cg/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Attachment: LP09.pdf
Description: