Re: DMCA Infringement Handling

["Doty, Timothy T." <tdoty () MST EDU>]

Most or all of our procedure is documented at
http://communitystandards.mst.edu/technology.html and our HEOA page is at
http://it.mst.edu/current_students/security/heoa_compliance.html

> 1) What is your charge or penalty for first and repeat infringement?

None, $100, $200 for first, second and third. These are processing fees as
distinct from fines.

> 2) When do disciplinary staff intervene?  first time or repeats?

Student Affairs talks with the student starting with the first offense

> 3) How long do you deny network access?

14 days, 28 days and 4 months for first, second and third

> 4) If a student has multiple devices, do you deny access to all devices
> or just the one implicated in the complaint?

All devices

> 5) Who was involved in the approval process for your procedures?

IT, Student Affairs and Student Council

> 6) How much pushback to you get from users who receive infringement
> notices?

A fair amount. I don't recall any that seriously questioned the evidence,
many seem to think that anything short of absolute proof of the specific
allegation completely absolves them. I had a student freely admit they
pirated every console game they had, but challenged our ability to prove
that the specific game was being shared at the specific time. 

> 7) Do you have an appeals process that has ever given an infringing
> user any relief?

Appeal process? I don't think there is anything formalized. They can (and
do) contest with Student Affairs. I provide them with the technical
evidence. Sometimes the student insists on talking with IT.

My position is that we are handling a notice of copyright infringement filed
according to the DMCA and protecting the University's safe harbor status. We
validate the allegation (date/time, IP address, port) against netflow and if
the evidence isn't there we don't proceed, but respond to the filer that we
were unable to substantiate their claim and need more evidence. We have
never heard back and I doubt they read any of the correspondence.

Systems are registered for use on our network and, by AUP, the registered
owner is responsible for the activity. I don't really care if the identified
device was an access point and had multiple users -- the owner made himself
responsible when he registered the device. This surprises and upsets some
students, but they get a lesson in responsibility that at least doesn't cost
them thousands of dollars or involve jail time.

Enterprising students sometimes suggest their IP address was spoofed, but a
quick lesson in networking remedies their belief that IT has no clue. At
least once a savvy student has tried to spread doubt by suggesting that
someone else spoofed his mac address. DHCP logs go a long way to showing
otherwise. (Or, as in the case of a non-DMCA complaint, demonstrating that
mac spoofing *was* happening and identifying the culprit who had a nice chat
with student affairs.)

Bottom line, we have sufficient logging to demonstrate that the complaint
was or was not valid and to tie it to a user. We do the leg work up front
and put the documentation in the file. We only proceed if we can identify
the infringer. And this is an administrative procedure, not civil court,
much less criminal and even there the standard of evidence is not absolute
proof. 

> 8) May I use your institution name along with your other responses in
> my report to the administration?

I don't mind standing by what I say. And this is a public list. Though I do
appreciate your asking ;^)

For anything official refer to the link I started with. The rest are my
personal statements and have not been approved by communications, much less
legal, to be anything other than that.

> Finally, a slightly separate question:
> 9) Do you ever get complaints forwarded from an agent of the
> pornography industry?  (we have seen a few recently)

We have had some that claim to be from an agent of the pornography industry.
The first of those we received was a few years ago and my recollection is
that it consisted of:

1. an attempt to extort $20 or so from the user
2. was not actually filed in accordance with the DMCA
3. the filer did *not* appear to be a duly authorized agent of the copyright
holder

Since then we have had a scattering of such claims. If it is filed according
to the DMCA and they are a duly authorized agent I process it the same as
any other claim filed in such fashion. Others are handled on a case-by-case
basis.

Tim Doty
System Security Analyst
Missouri S&T

Attachment: smime.p7s
Description: