Educause Security Discussion mailing list archives
Re: DMCA Infringement Handling
From: Bradley Jonko <jonko () STANFORD EDU>
Date: Wed, 12 Oct 2011 15:38:23 -0700
Like many others we have employed several homegrown scripts that automate the handling of the incoming complaint emails, computer lookup, traffic flow confirmation and email notification processes. We worked with our Office of General Counsel to come up with a 3-strikes policy for the University. We also built an online resolution portal where individuals can completely resolve their complaints without ever having to contact us for the first and second offenses. We have gotten to the point of only having to personally touch very few complaints (some special cases) that come in. Our online portal requires everyone to take a DMCA quiz and pass with 80% correct. The quiz consists of 5 questions (chosen at random from a pool of ~20 questions) and 2 static questions regarding network access restrictions that have to both be right plus 80% right from the first 5 questions. A passing grade on the quiz is valid for 7 days, at which point they need to take the quiz again. Upon passing the quiz, everyone is given an option of how they would like to respond to their complaint. They are given 1 of 4 choices: 1. I've removed the offending material 2. I'll file a counter notification 3. The complaint is mistaken: This is only reserved for blatantly mistaken complaints, ie. Complaints for: printers, networking equipment, etc 4. I'll leave this unresolved for now Note that only option 1 actually resolves the complaint automatically through the portal. Users are given 3 business days (holidays and special University dates, like dead week and commencement week, are not counted) before we set their network registration node to a "frozen" state. The frozen state is configured such that the network node is issued IP space that is setup to automatically redirect all network traffic to our resolution web portal. The 3 day cut off time was decided on by our Office of General Counsel as an "expeditious" time for removing access of the material from the University network. Since the frozen state does not allow any traffic out, this covers our legal obligation to remove access from the public internet. Upon completion of a complaint resolution, we have just implemented this semester an "affirmation" step where individuals have to affirm their future intentions and agree to understand the consequences for future complaints. For first time offenders, they are able to affirm immediately following resolution. Second time offender incur a 4 day internet suspension upon completing their resolution, and after the 4th day they are allowed to affirm. Third time offenders are referred to Judicial Affairs during which time all network nodes registered to them are disabled until they complete their case with Judicial Affairs. This process currently takes our Judicial Affairs Office approx one academic quarter to complete, which the students are informed of ahead of time. For Staff they are referred to their HR representative and it is up to HR to decide appropriate actions. The first few section of our portal are public, https://resolution.stanford.edu , so feel free to poke around. Feel free to send any questions. Answers to previous questions below: 1) What is your charge or penalty for first and repeat infringement? Our office reserves the ability to incur a $1000 network reconnection fee upon completion of third offense. 2) When do disciplinary staff intervene? first time or repeats? Only on the Third Strike: Judicial Affairs for students and HR for staff 3) How long do you deny network access? First Strike: no penalty (if resolved in the 3 business days) Second Strike: 4 day network suspension Third Strike: indefinite network suspension until completion of either Judicial Affairs or HR 4) If a student has multiple devices, do you deny access to all devices or just the one implicated in the complaint? First and Second Strikes: only the implicated device Third Strike: all registered devices 5) Who was involved in the approval process for your procedures? Information Security Office and Office of General Counsel (assistance from IT and Networking for restrictions) 6) How much pushback to you get from users who receive infringement notices? We get very little pushback from the notices. Usually we get users responsible for a residence (staff and student) where guests or visiting children has engaged in P2P while staying there. Ultimately our network policy holds the registered user responsible for the complaint and most usually comply with no issue after explaining the DMCA to them. 7) Do you have an appeals process that has ever given an infringing user any relief? Users are given the option to contact the Security Office if they feel the complaint is in error, but our scripts confirm network traffic logs which makes most cases hard to argue out of. For the Third Strike students have to appeal to Judicial Affairs and staff to HR 8) May I use your institution name along with your other responses in my report to the administration? Yes 9) Do you ever get complaints forwarded from an agent of the pornography industry? (we have seen a few recently) Yes, and recently they have recently included a shakedown notice as part of their complaint. These requests typically ask the user to visit the company's website and pay a fine for the copyright violation to avoid and legal action. We have a lawyer in our General Counsel Office that specializes in Copyright law and has asked to be kept informed of such notices, so made adjustments to our automated email scripts to flag these for us to forward along. Thank you, Brad Jonko Information Security Office Stanford University jonko () stanford edu 650.724.2822
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn
Sent: Thursday, September 15, 2011 1:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DMCA Infringement Handling
We are considering revising our DMCA infringement handling procedures,
especially with regard to repeat infringers.
I wonder what everybody else is doing with these issues?
We match up the complaint with our IP>Etnernet assignment and network
traffic logs. I forward the complaint to the student and disable their
ethernet card registration. They are required to pay $50 and give an
assurance that the infringing file(s) and filesharing software have
been removed. I then re-enable their ethernet card registration for
access to our network.
Repeat infringers get the same procedure except that they also are
referred to the VP for Student Services for some sort of an
appointment. I do not know what happens in that appointment.
Would you share with me, so I could tabulate it and present the options
others use to our administration:
1) What is your charge or penalty for first and repeat infringement?
2) When do disciplinary staff intervene? first time or repeats?
3) How long do you deny network access?
4) If a student has multiple devices, do you deny access to all devices
or just the one implicated in the complaint?
5) Who was involved in the approval process for your procedures?
6) How much pushback to you get from users who receive infringement
notices?
7) Do you have an appeals process that has ever given an infringing
user any relief?
8) May I use your institution name along with your other responses in
my report to the administration?
Finally, a slightly separate question:
9) Do you ever get complaints forwarded from an agent of the
pornography industry? (we have seen a few recently)
Thanks for any info you are willing to share.
Bob Bayn (435)797-2396 IT Security Team
We will never send you email asking for your password
(never, never, never with this one exception: NEVER!)
Office of Information Technology, Utah State University
http://tinyurl.com/bicyclists-share-kidneys-v2-0
USU employees - join the Phirst Phish Contest
http://it.usu.edu/security/htm/phirst-phish-contest
Current thread:
- Re: DMCA Infringement Handling Bradley Jonko (Oct 12)