Educause Security Discussion mailing list archives
Re: DMCA subpoenas have arrived . . .
From: Eoghan Casey <eco () CORPUS-DELICTI COM>
Date: Wed, 16 Jul 2003 13:25:34 -0400
Tracy, I am wondering about the liability associated with failing to preserve logs that are known to contain related evidence. For instance, suppose that NetFlow logs are collected routinely for all Internet traffic but are also routinely deleted after a certain period. In your opinion, does an IT department have a legal responsibility to prevent those NetFlow logs from being deleted when one of these subpoenas is received even if the subpoena does not include a preservation request? My initial sense - if nobody asks for those NetFlow logs to be preserved, the IT department is not required to take the initiative. However, I am wondering if there are negligence/due diligence issues. Eoghan Casey Tracy Mitrano wrote:
Dick, I cannot answer those questions specific to incidents at other schools, but I would like to share the draft compulsory legal papers policy we have in process at Cornell (spurred on by Patriot Act) for proper funneling of such documents to the appropriate offices. May I also share a question that has come up in private correspondence: Question: Should the IT department do any extra investigation into the matter, for example the netflow traffic relevant to the subpoenas? Answer: My $.02: no. I would not do any additional investigations. The institution does not owe that information to the requester; if the alleged defendant wants it, he or she can subpoena the information themselves. Also, the more information provided, the more the likelihood that it may cross over into an "educational record." Wouldn't that be an irony: schools try to comply and then find themselves being faced with a FERPA violation! Any further defenses/evidence will be conducted by the parties, in court. I would strive to keep our academic institutions as far out of the process as possible, while still complying with the law. I hope that helps folks. Also, I have received calls from journalists looking for schools that have had subpoenas. I have provided no names of specific schools. The most recent is from Katie Dean at Wired. If anyone would like to talk with her about such experiences, her number is 415-276-8501. Hope that helps! Tracy At 03:54 PM 7/14/2003 -0500, Dick Jacobson wrote:On Fri, 11 Jul 2003, Tracy Mitrano wrote: I saw the question but have not seen an answer .. How were these served ?? On the President ? On the DMCA Agent ? On someone else ?Hi Jack, My sympathies to your school, although it is only a matter of "there but for the grace of god go we", i.e. a matter of time, before we all face this matter. We are here at the EDUCAUSE/Cornell Institute for Computer Policy and Law and have talked extensively about this issue. First we have learned that you are not alone. I believe that Northwestern has also received some "Verizon" type subpoena, and I think I have heard of some more. After the circuit court decided the case on Verizon I have pushed hard on this issue by querying anyone and everyone whom I believed had expertise in this area. Recognizing the legal posture of this issue, I have focused on the question of whether there is a policy response that higher education might want to give based on some very general principles of "academic freedom" or "the spirit of FERPA." My conclusion is that none of these arguments are adequately tenable as a legal matter. Given the totality of circumstances and including the fact that higher education should not be in the business of protecting flagrant offenders of federal law, upon ascertaining that the subpoena is in proper legal order, campuses should comply. The next issue is whether to inform the individual whose name is requested. FERPA requires such notification unless the subpoena specifically restricts that the institution do so. Whether the name is an "educational record" is questionable, however, and probably not, but nor does it appear that the subpoenas specifically restrict notification either. It is up to the institution, and the only thing I would recommend is that institutions figure out in advance: (1) its routing of legal papers protocol; (2) compliance procedures; (3) whether the institution will notify the individual and (4) how to do so appropriately. Please, everyone, keep us posted! Tracy At 06:21 PM 7/9/2003 -0500, you wrote:Good evening I want to let you know that we at Loyola Chicago have received our first subpoena issued on behalf of the Recording Institute Association of America (RIAA) accompanied by a DMCA notification of copyright infringement. Are we alone here on this? The subpoena delivered by a process server in person directed that the University provide the names, addresses, telephone numbers and e-mail address, of persons assigned to a specific IP address. After discussion with our colleagues in student affairs and general counsel, we opted to comply with the subpoena and to send an e-mail to the persons assigned to the IP address (indicated in the subpoena) advising them about the DMCA notice of copyright infringement and about subpoena -- after checking to see whether the persons involved (who are students currently enrolled in our summer session) had placed a hold on the release of their directory information. Regarding students who have placed a hold on the release of their directory information we still plan to advise the student but give the student time to contact the counsel for groups such as RIAA to contest the subpoena. We will need to contact the counsel to request additional time to enable us to comply with the subpoena. I expect that this is the beginning of a new campaign by groups such as the RIAA to deal with students making available copyright materials on the Internet using the university network resources. I had anticipated this action after the announcement of the Verizon decision but not so soon. As I had asked at the beginning of this note, are we alone? If not, what has been your experience? Ciao! Jack-- ----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndsu NoDak edu ND HECN MultiUser Host SysAd office : IACC 206, NDSU NDUS IT Security Officer phone : 701-231-7385 ----------------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Re: DMCA subpoenas have arrived . . . Tracy Mitrano (Jul 16)
- <Possible follow-ups>
- Re: DMCA subpoenas have arrived . . . Eoghan Casey (Jul 16)
- Re: DMCA subpoenas have arrived . . . Tracy Mitrano (Jul 16)
- Re: DMCA subpoenas have arrived . . . H. Morrow Long (Jul 18)
- Re: DMCA subpoenas have arrived . . . Mark Luker (Jul 18)