Data Retention & "Are universities protecting students from the RIAA?"

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

I am normally reluctant to share and comment on news articles in this
forum, especially regarding the topic of P2P filesharing (which is
largely not a security issue, in my opinion).  However, I wanted to
bring to your attention that CNET has published a story on the issue of
data retention at colleges and universities (which certainly is relevant
to security professionals) and P2P filesharing available at
http://www.news.com/8301-13578_3-9799271-38.html

Of particular interest to this group might be the charge that colleges
and universities are not being open about their data retention policies.
The author, Declan McCullagh, also invites readers at the end of his
post:  (If you know more details about a particular university's data
retention policy, please post them below...) 

Below are some excerpts from the story.

Rodney Petersen
EDUCAUSE/Internet2 Security Task Force


> ******************************************************
>
> October 18, 2007 4:00 AM PDT
>
> Are universities protecting students from the RIAA?
>
> Posted by Declan McCullagh
> <http://www.news.com/8300-13578_3-38.html?authorId=111&tag=author>  
>
> As I wrote earlier this week
> <http://www.news.com/8301-10784_3-9798784-7.html> , the Recording
> Industry Association of America has now expanded its campaign against
> illicit file-sharing to students at George Washington University. 
. . .

> If GWU has deleted its logs of who was using what IP address back
> then, the RIAA is going to be out of luck. So this becomes an
> important question: how long do universities keep logs showing who's
> been assigned a particular IP address? And why won't they say what the
> duration is? 
. . .. 

> Now, there's no legal obligation for colleges or universities to keep
> records of temporary IP address assignment, assuming addresses are
> allocated on demand through a protocol like DHCP
> <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol> .
> (They also can be allocated semi-permanently based on geographic
> location such as residence hall or campus office.)
. . .

> While schools have the right to set whatever policies they want--in a
> pro-copyright or pro-privacy direction--they should at least be public
> about it. That would let students, faculty, and staff debate the topic
> in the open rather than let rules be set in private by attorneys or
> administrators who tend to be far too risk-averse
> <http://www.news.com/8301-13578_3-9795510-38.html> . It would also, I
> suppose, let students who are wavering between one school and another
> decide whether they'd rather attend a school that has chosen copyright
> as a paramount value, or one that has embraced privacy instead. 
. . .