Re: DMCA Violation

[Colleen Keller <ckeller () EDUCAUSE EDU>]

EDUCAUSE does still maintain the list of Legal Sources of Online Content.
https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/legal-sources-onli

Please let me know if you have any questions, thank you.

Colleen Keller

Manager, Metadata and Library Services


EDUCAUSE<http://www.educause.edu/>
Uncommon Thinking for the Common Good
direct: 303.939.0309 | main: 303.449.4430 | educause.edu<http://www.educause.edu/> | Twitter: @EDUCAUSElibrary





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Greg Jackson
Sent: Tuesday, February 18, 2020 4:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DMCA Violation


Long post, for which apologies, but I thought it might be useful for some background and observations on the DMCA 
issues and practice, time having passed and experience having accumulated. Plus, I'm avoiding working on my taxes.

By way of introduction, I served as the University of Chicago's DMCA agent for some years, and as a reward (or, same 
thing, punishment) ended up testifying on the Hill and then landed squarely in the middle of the negotiations that 
yielded the 10/29/2009 HEOA 
regulation<https://library.educause.edu/resources/2009/10/final-heoa-regulations-issued-for-p2p-provisions>s. A few 
years later, as further punishment (albeit the paid kind), I spent a year+ over on the dark side, helping NBCUniversal 
try to come up with carrots to replace (or at least balance) its sticks. That, as a byproduct, gave me access to a lot 
of relevant data on patterns of detection, notification, and prevention (more on that at the bottom), although the 
project fizzled when NBCU leadership changed and the project's patron moved on from copyright to tackle LaGuardia 
rapid-transit access and other easier issues.

Per DMCA generally and HEOA specifically, campuses must deal with the issue, on pain (in theory) of being held liable 
for their students' unauthorized distribution of copyrighted material (which the the copyright industry likes to call 
"piracy") or, in the extreme, becoming ineligible for certain federal funding (no one thinks this would really happen).

"Deal with the issue" involves three parts:

  1.  An annual disclosure to students describing copyright law and campus policies related to violating copyright law,
  2.  A plan to "effectively combat the unauthorized distribution of copyrighted materials" by users of its network, 
including "the use of one or more technology-based deterrents", and
  3.  A plan to "offer alternatives to illegal downloading".

#1 is easily satisfied as part of orientation, network signup, or other routine points at which students are told what 
they should or shouldn't do.

#3 is also easily satisfied, since simply telling students about some legitimate sources (which are far more numerous 
and commonly used today than they were back then) checks the box. EDUCAUSE used to maintain a list to which a campus 
could simply link, but that seems to have disappeared.

#2 is the core requirement. In general, it means that campuses must have some kind of policy with regard to copyright 
infringement, and reasonable mechanisms to implement it. Different campuses choose different reasonable mechanisms, but 
I think it's fair to assert that most campuses start with effective processes for dealing with properly framed DMCA 
complaints from copyright holders.

Not all complaints about copyright infringement are "properly framed DMCA complaints". To qualify, a complaint

  1.  must be from the copyright holder(s) or her/his/their/its legal representative,
  2.  must be sent to the address (the "DMCA Agent") that the campus registers with the Copyright 
Office<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.copyright.gov%2Fdmca-directory%2F&data=02%7C01%7C%7Ca1ffa67eec394a1da8b008d7b4cd83b1%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637176667189802129&sdata=9pT2ooJxjO3n6TA1xBYrMzMYbGBiQ8ImHXOiLvPkcNU%3D&reserved=0>,
 and
  3.  must contain sufficiently specific information to identify the material in question, when precisely the 
infringement was detected (which typically means that the offending material was actually accessible, not just 
advertised), and at what IP address the infringing material was accessed.

Campuses can safely ignore complaints that do not satisfy these criteria, for example "pay or else" notices sent 
directly to individuals, or threatening letters from law offices that do not represent specific copyright holders.

The typical "effective" process satisfying #2 also has three components:

  1.  an email address registered to receive DMCA notices (using an individual's address is a bad idea, since 
individuals come and go),
  2.  appropriate logs, tools, and network-savvy staff in place to associate the IP address and timestamp in the 
complaint with a particular user or physical location, and
  3.  a progressive set of consequences for perpetrators who can be identified. The progressive set is often an 
automated acknowledgement for a first offense, a meeting with network security or similar staff for a second, and 
formal campus disciplinary processes for a third or subsequent.

Some campuses go further by either constraining access to sites or protocols highly correlated with copyright 
infringement (either outright, for example by blocking or throttling BitTorrent at the campus border), or by using 
their intrusion-detection tools to look for likely offenders and deal with them proactively.

From the outset it was clear that there was great variability in campuses' DMCA experiences, and in particular the 
volume of DMCA complaints received. While I was at NBCUniversal, I got access to data from several major senders of 
DMCA notices, and the results were surprising.

The vast majority of campuses, it turned out, received no DMCA notices at all, and a few campuses accounted for the 
lion's share. Size explained a bit of this, but not most. So I also interviewed IT staff at campuses that received many 
and few notices.

I wrote a blog post summarizing the results, and it's still out there: 
http://gjackson.us/ruminations/?p=891<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgjackson.us%2Fruminations%2F%3Fp%3D891&data=02%7C01%7C%7Ca1ffa67eec394a1da8b008d7b4cd83b1%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637176667189812124&sdata=0OvI82tiiVCaUVPcPK1IPOeb1pMbOMz820H2dMPnSUQ%3D&reserved=0>
 . But in a sense the study's finding can represented by one extreme case and one large category.

The extreme case (Helium, in the post) was a campus that did not block or throttle any protocols or sites, and that  
maintained no logs for its NAT concentrators. The concentrators' ten external IP addresses accounted for a huge 
fraction of all higher-education DMCA notices. Since the campus maintained no logs for the concentrators, it could not 
trace complaints, and users were never notified of complaints. Helium's network users perceived (correctly) that 
distributing unauthorized copyrighted material had no consequences for them.

The large category was campuses blocking or severely throttling BitTorrent and other protocols (or sites) typically 
associated with unauthorized distribution of copyrighted material.

So the advice is, if you don't want to deal with lots of DMCA complaints, then block or throttle the offending 
protocols, ports, and/or sites. If you don't want to or can't do that, manage the network and handle the inevitable 
DMCA complaints so that offenders can be identified and dealt with. Most of us who have managed processes like that 
know that even when the allegedly offending user denies having done anything, the problematic behavior usually 
stops--that is, there are very few second or third offenses. Moreover, word gets around, and students who want to 
offend find ways of doing so without involving the campus network.

▬▬▬▬▬▬▬▬▬▬▬▬ greg jackson
▬▬▬▬▬▬▬▬▬▬▬▬ gjackson.us
▬▬▬▬▬▬▬▬▬▬▬▬ 1-773-936-9235
On 2/17/2020 7:44 AM, Kimmitt, Jonathan wrote:
 I have a quick question about how everyone deals with DMCA violations.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community