Educause Security Discussion mailing list archives
Re: DMCA Violation
From: Colleen Keller <ckeller () EDUCAUSE EDU>
Date: Wed, 19 Feb 2020 18:33:25 +0000
EDUCAUSE does still maintain the list of Legal Sources of Online Content. https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/educause-policy/legal-sources-onli Please let me know if you have any questions, thank you. Colleen Keller Manager, Metadata and Library Services EDUCAUSE<http://www.educause.edu/> Uncommon Thinking for the Common Good direct: 303.939.0309 | main: 303.449.4430 | educause.edu<http://www.educause.edu/> | Twitter: @EDUCAUSElibrary From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Greg Jackson Sent: Tuesday, February 18, 2020 4:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] DMCA Violation Long post, for which apologies, but I thought it might be useful for some background and observations on the DMCA issues and practice, time having passed and experience having accumulated. Plus, I'm avoiding working on my taxes. By way of introduction, I served as the University of Chicago's DMCA agent for some years, and as a reward (or, same thing, punishment) ended up testifying on the Hill and then landed squarely in the middle of the negotiations that yielded the 10/29/2009 HEOA regulation<https://library.educause.edu/resources/2009/10/final-heoa-regulations-issued-for-p2p-provisions>s. A few years later, as further punishment (albeit the paid kind), I spent a year+ over on the dark side, helping NBCUniversal try to come up with carrots to replace (or at least balance) its sticks. That, as a byproduct, gave me access to a lot of relevant data on patterns of detection, notification, and prevention (more on that at the bottom), although the project fizzled when NBCU leadership changed and the project's patron moved on from copyright to tackle LaGuardia rapid-transit access and other easier issues. Per DMCA generally and HEOA specifically, campuses must deal with the issue, on pain (in theory) of being held liable for their students' unauthorized distribution of copyrighted material (which the the copyright industry likes to call "piracy") or, in the extreme, becoming ineligible for certain federal funding (no one thinks this would really happen). "Deal with the issue" involves three parts: 1. An annual disclosure to students describing copyright law and campus policies related to violating copyright law, 2. A plan to "effectively combat the unauthorized distribution of copyrighted materials" by users of its network, including "the use of one or more technology-based deterrents", and 3. A plan to "offer alternatives to illegal downloading". #1 is easily satisfied as part of orientation, network signup, or other routine points at which students are told what they should or shouldn't do. #3 is also easily satisfied, since simply telling students about some legitimate sources (which are far more numerous and commonly used today than they were back then) checks the box. EDUCAUSE used to maintain a list to which a campus could simply link, but that seems to have disappeared. #2 is the core requirement. In general, it means that campuses must have some kind of policy with regard to copyright infringement, and reasonable mechanisms to implement it. Different campuses choose different reasonable mechanisms, but I think it's fair to assert that most campuses start with effective processes for dealing with properly framed DMCA complaints from copyright holders. Not all complaints about copyright infringement are "properly framed DMCA complaints". To qualify, a complaint 1. must be from the copyright holder(s) or her/his/their/its legal representative, 2. must be sent to the address (the "DMCA Agent") that the campus registers with the Copyright Office<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.copyright.gov%2Fdmca-directory%2F&data=02%7C01%7C%7Ca1ffa67eec394a1da8b008d7b4cd83b1%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637176667189802129&sdata=9pT2ooJxjO3n6TA1xBYrMzMYbGBiQ8ImHXOiLvPkcNU%3D&reserved=0>, and 3. must contain sufficiently specific information to identify the material in question, when precisely the infringement was detected (which typically means that the offending material was actually accessible, not just advertised), and at what IP address the infringing material was accessed. Campuses can safely ignore complaints that do not satisfy these criteria, for example "pay or else" notices sent directly to individuals, or threatening letters from law offices that do not represent specific copyright holders. The typical "effective" process satisfying #2 also has three components: 1. an email address registered to receive DMCA notices (using an individual's address is a bad idea, since individuals come and go), 2. appropriate logs, tools, and network-savvy staff in place to associate the IP address and timestamp in the complaint with a particular user or physical location, and 3. a progressive set of consequences for perpetrators who can be identified. The progressive set is often an automated acknowledgement for a first offense, a meeting with network security or similar staff for a second, and formal campus disciplinary processes for a third or subsequent. Some campuses go further by either constraining access to sites or protocols highly correlated with copyright infringement (either outright, for example by blocking or throttling BitTorrent at the campus border), or by using their intrusion-detection tools to look for likely offenders and deal with them proactively. From the outset it was clear that there was great variability in campuses' DMCA experiences, and in particular the volume of DMCA complaints received. While I was at NBCUniversal, I got access to data from several major senders of DMCA notices, and the results were surprising. The vast majority of campuses, it turned out, received no DMCA notices at all, and a few campuses accounted for the lion's share. Size explained a bit of this, but not most. So I also interviewed IT staff at campuses that received many and few notices. I wrote a blog post summarizing the results, and it's still out there: http://gjackson.us/ruminations/?p=891<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgjackson.us%2Fruminations%2F%3Fp%3D891&data=02%7C01%7C%7Ca1ffa67eec394a1da8b008d7b4cd83b1%7Cdd4b037fe626495db0170cc0f7dddb37%7C0%7C0%7C637176667189812124&sdata=0OvI82tiiVCaUVPcPK1IPOeb1pMbOMz820H2dMPnSUQ%3D&reserved=0> . But in a sense the study's finding can represented by one extreme case and one large category. The extreme case (Helium, in the post) was a campus that did not block or throttle any protocols or sites, and that maintained no logs for its NAT concentrators. The concentrators' ten external IP addresses accounted for a huge fraction of all higher-education DMCA notices. Since the campus maintained no logs for the concentrators, it could not trace complaints, and users were never notified of complaints. Helium's network users perceived (correctly) that distributing unauthorized copyrighted material had no consequences for them. The large category was campuses blocking or severely throttling BitTorrent and other protocols (or sites) typically associated with unauthorized distribution of copyrighted material. So the advice is, if you don't want to deal with lots of DMCA complaints, then block or throttle the offending protocols, ports, and/or sites. If you don't want to or can't do that, manage the network and handle the inevitable DMCA complaints so that offenders can be identified and dealt with. Most of us who have managed processes like that know that even when the allegedly offending user denies having done anything, the problematic behavior usually stops--that is, there are very few second or third offenses. Moreover, word gets around, and students who want to offend find ways of doing so without involving the campus network. ▬▬▬▬▬▬▬▬▬▬▬▬ greg jackson ▬▬▬▬▬▬▬▬▬▬▬▬ gjackson.us ▬▬▬▬▬▬▬▬▬▬▬▬ 1-773-936-9235 On 2/17/2020 7:44 AM, Kimmitt, Jonathan wrote: I have a quick question about how everyone deals with DMCA violations. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: DMCA Violation, (continued)
- Re: DMCA Violation Jim A. Bole (Feb 17)
- Re: DMCA Violation Menne, Michael S (Feb 17)
- Re: DMCA Violation Scantlin, Aaron J. (Feb 17)
- Re: DMCA Violation King, Ronald A. (Feb 17)
- Re: DMCA Violation John K Lerchey (Feb 17)
- Re: DMCA Violation Kimmitt, Jonathan (Feb 17)
- Re: DMCA Violation Garrett McManaway (Feb 18)
- Re: DMCA Violation Ronald Loneker (Feb 19)
- Re: DMCA Violation Kimmitt, Jonathan (Feb 17)
- Re: DMCA Violation Kimmitt, Jonathan (Feb 19)
- Re: DMCA Violation Colleen Keller (Feb 19)
- Re: DMCA Violation Barton, Robert W. (Feb 17)
- Re: DMCA Violation Thomas Carter (Feb 18)
- Re: [External] Re: [SECURITY] DMCA Violation Gregg, Christopher S. (Feb 18)
- Re: [External] Re: [SECURITY] DMCA Violation Dennis Bolton (Feb 18)
- Re: [External] Re: [SECURITY] DMCA Violation sgennari (Feb 18)
- Re: [External] Re: [SECURITY] DMCA Violation Thomas Carter (Feb 18)
- Re: [External] Re: [SECURITY] DMCA Violation Julian Y Koh (Feb 18)
- Re: [External] Re: [SECURITY] DMCA Violation Rob Milman (Feb 18)
- Re: [External] Re: [SECURITY] DMCA Violation Francisco Chavez (Feb 18)