Re: DMCA responses

["St. Laurent, Tim" <tstlaure () RICHMOND EDU>]

Just an fyi, they have already figured out how to use P2P software on port
80.

----------University of Richmond----------
Tim St. Laurent
Security Administrator
*tstlaure () richmond edu
*804-289-8655




-----Original Message-----
From: Jim Moore [mailto:jhmfa () CIS RIT EDU]
Sent: Tuesday, December 17, 2002 2:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DMCA responses


I am in the process of consulting with our legal counsel to meet the
requirements of the DMCA.

As with any security initiative, security awareness is important.  This will
appear to be big brother.  We clearly support in our policy the respect for
copyrights and intellectual property.  But I was wondering as to how other
universities are handling this.

 From a legal standpoint, I can see passing on the complaint letter as an
attachment that reiterates the position of the Institute.  Our note should
set expectations of increasing penalties over a short but reasonable point
of time.  This is where I need help.  I imagine that people will scream no
matter what, but if anyone has satisfaction that they have hit a reasonable
balance, please let me know.

I have thought of the following.
1) Immediately limit the student's network usage to campus, with the
exception of port 80.  If they figure out filesharing over port 80, then
block that too.  (P.S. I don't know if we can do that from a practical
standpoint -- if there is too much overhead on the routers with this
stance).  That would keep the student focused on what they should be focused
on all along, their work at the Institute.

2) State that they have 5 days of the school calendar to comply. Compliance
can have 1 of 2 forms.
   a) The student removes the infringing material
   b) The student copies us in on a complaint to the copyright owner that
the allegation is in error, complete with legal reasons why it is in error.

Have language in there to acknowledge that the student may have had a system
compromised, and that they did not place the content there, while
maintaining that the removal of the content is still their responsibility.

Specifically, I was wondering if going to the 2 steps is necessary, or if
terminating network access is sufficient, and if so, how has it gone over.
And for systems whose network access is terminated, how do you handle
reconnection to the network?

And what is reasonable or at least legally compliant time frame? (Students
take long weekends, they leave their systems on over breaks between quarters
etc.  I would like to make sure that they don't come back from a weekend or
break and find no network connection.  I don't know if that is possible.

Also, how specific do people get in terms of Safe Harbor provisions when
corresponding to students, i.e. that the Institute/University is liable, if
they don't comply, and that would surely take away funds from activities
related to the pursuit of education and the support of the students.

Jim
--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.