DMCA responses

[Jim Moore <jhmfa () CIS RIT EDU>]

I am in the process of consulting with our legal counsel to meet the
requirements of the DMCA.

As with any security initiative, security awareness is important.  This
will appear to be big brother.  We clearly support in our policy the
respect for copyrights and intellectual property.  But I was wondering
as to how other universities are handling this.

From a legal standpoint, I can see passing on the complaint letter as
an attachment that reiterates the position of the Institute.  Our note
should set expectations of increasing penalties over a short but
reasonable point of time.  This is where I need help.  I imagine that
people will scream no matter what, but if anyone has satisfaction that
they have hit a reasonable balance, please let me know.

I have thought of the following.
1) Immediately limit the student's network usage to campus, with the
exception of port 80.  If they figure out filesharing over port 80, then
block that too.  (P.S. I don't know if we can do that from a practical
standpoint -- if there is too much overhead on the routers with this
stance).  That would keep the student focused on what they should be
focused on all along, their work at the Institute.

2) State that they have 5 days of the school calendar to comply.
Compliance can have 1 of 2 forms.
  a) The student removes the infringing material
  b) The student copies us in on a complaint to the copyright owner
that the allegation is in error, complete with legal reasons why it is
in error.

Have language in there to acknowledge that the student may have had a
system compromised, and that they did not place the content there, while
maintaining that the removal of the content is still their responsibility.

Specifically, I was wondering if going to the 2 steps is necessary, or
if terminating network access is sufficient, and if so, how has it gone
over.  And for systems whose network access is terminated, how do you
handle reconnection to the network?

And what is reasonable or at least legally compliant time frame?
(Students take long weekends, they leave their systems on over breaks
between quarters etc.  I would like to make sure that they don't come
back from a weekend or break and find no network connection.  I don't
know if that is possible.

Also, how specific do people get in terms of Safe Harbor provisions when
corresponding to students, i.e. that the Institute/University is liable,
if they don't comply, and that would surely take away funds from
activities related to the pursuit of education and the support of the
students.

Jim
--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.