This past summer
saw developments relating to peer-to-peer (“P2P”) music file sharing.
Of most significance, on June 25, 2003, the Recording
Industry Association of America ("RIAA"), a trade
group that represents U.S. record companies, announced it would
seek out the heaviest P2P service users and sue them for copyright
Subsequently on September 8 the RIAA filed
suit against 261 individuals in federal courts across the country.
In order to identify these individuals, the RIAA issued over 1600
subpoenas under the Digital Millennium Copyright Act. The RIAA has
since issued lawsuit notification letters to an additional 204 individuals.
In connection with the recording industry's enforcement effort, colleges and universities have been served with DMCA subpoenas seeking the identity
of students engaged in file sharing on educational networks and
should be aware of their rights and responsibilities in this regard. This Note will describe P2P file sharing, identify some
campus policies to respond to or prevent inappropriate activity,
and suggest possible responses by institutions in receipt of a DMCA
subpoena seeking the identity of alleged copyright infringers using
the institution's computer network.
What Is Peer-to-Peer
networks consist of users who share information directly with each
other over the Internet without having to log onto a central computer.
In 1999, a Northeastern University student created a software program
called Napster, which allowed its users to trade music and other
data online. In February 2001, however, the United States Court
of Appeals for the 9th Circuit held that Napster, Inc. had committed
contributory copyright infringement by maintaining a central database
of available files and their locations for the program’s users
Following the Napster case, the
recording industry targeted the other major peer-to-peer file sharing
services, including KaZaA, Grokster, Aimster and Morpheus. While
these services are also designed to let people exchange music, movies,
videos and other files over the Internet, they, unlike Napster,
are not themselves directly involved in the actual process of sharing,
but instead merely provide programs that permit the sharing to occur.
A recent federal decision concluded that the companies that provide
these programs are not engaging in infringing activity, because
the programs can also be used for legitimate file sharing – just
as a VCR may be used for both legal and illegal acts .
In its effort to protect the intellectual
property of its members, the recording industry is now attempting
to pursue directly individuals who share files of copyrighted material.
Some (though by no means the dominant) percentage of file sharing
occurs in the college and university environment,  and
many of the first subpoenas were issued to educational institutions.
Colleges and universities should be prepared to respond if they
receive such subpoenas and should take steps to protect themselves
– and their students – from potential lawsuits.
Peer-to-Peer Sharing Issues for
Universities and Colleges
the current legal climate, universities should
be aware of the following P2P file-sharing issues.
Distribution of copyrighted materials over the Internet without
the copyright owner’s permission can be a violation of the Sec. 106 of the Copyright
Act. The DMCA generally protects colleges and universities from
liability for illegal file sharing by their students on university
networks. However, the institution must register with the Copyright
Office and comply with certain other requirements in order to obtain
this “safe harbor” immunity .
Moreover, the institution can lose its immunity in some cases if
it knows or should know about specific infringing activity .
Other Network Issues
can adversely affect the performance of the computing network in
several ways. File sharing can consume a large amount of bandwidth --
some studies have shown that as much as 60% of all traffic/storage
on university networks may be devoted to file sharing, leaving little
room for more important traffic . Large scale file sharing may also render a network more
susceptible to viruses and privacy violations and may open the door
to hackers. Moreover, excessive P2P sharing on an institution's
network may result in a large volume of DMCA subpoenas, the processing
of which requires use of limited institutional resources.
Recording Industry Concerns
In an October 3, 2002, letter to nearly 2,300 college and university
presidents, the RIAA expressed concern over student “piracy of copyrighted
creative works” and addressed the need for academic institutions
to develop policies to prevent online copyright infringement . Specifically,
the RIAA requested that colleges and universities adopt and implement
(1) Inform students of their moral
and legal responsibilities;
(2) Specify what practices are and are not acceptable on your school's network;
(3) Monitor compliance; and
(4) Impose effective remedies against violators.
While these requests go beyond the requirements
of the DMCA – which, in particular, does not require an ISP to monitor
its users’ compliance with copyright law – they are an important
indicator of the recording industry's expectations.
What Should A
College or University Consider When Implementing Policy?
Whether for legal, bandwidth management
or other reasons, institutions attempting to deal with these issues
should consider taking some or all of the following steps:
Adopt and inform students and
other users of
a policy terminating the network privileges of those found to be
infringing copyrights repeatedly and actively enforce that policy
when infringements are identified. Doing so is a prerequisite
to the DMCA safe harbor.
Post the policy on the institution's website
where it is easily accessible to the university community.
In addition, institutions may wish to implement a mechanism that
requires users to prove they have read the policy prior to obtaining
initial access to the institution's network .
Educate users about
copyright law and give them examples of what they can and cannot
do . Let
them know that it generally is best to assume that all but the oldest
material is copyright protected unless explicitly stated otherwise
and that copyright infringers could face up to $150,000 per infringement,
as well as potential criminal penalties in some cases.
Recognize that not all P2P file sharing
is copyright infringement; some P2P sharing may have legitimate
academic use, and your policy should acknowledge the academic benefits
of legitimate P2P sharing.
Consider implementing packet-shaping
or other technical means of limiting the amount of file sharing that can
occur on the network.
What If An Institution Receives a DMCA Subpoena?
DMCA gives copyright owners the ability to subpoena internet service
providers (including colleges and universities operating computer
networks) for “information sufficient to identify the alleged infringer”
holders need not file a lawsuit first; the copyright holder need
only apply to the clerk of any United States district court
(see discussion at footnote 15 below).
must include the following:
a signature of a person authorized to act
on behalf of the copyright owner;
identification of the copyrighted work
claimed to have been infringed;
identification of the material claimed
to be infringing (including information reasonably sufficient to
allow the service provider to locate the material);
information reasonably sufficient to allow
the service provider to locate the complaining party;
a statement that the complaining party
has a good faith belief that the use of the material is not authorized;
a statement that the information in the
application is accurate;
a proposed subpoena; and
a sworn declaration that the purpose of
the subpoena is to identify the alleged infringer and that the information
obtained will be used only to protect copyright rights .
A college or university that receives such
a subpoena must “expeditiously disclose to the copyright owner or
person authorized by the copyright owner the information required
by the subpoena, notwithstanding any other provision of law …” . Before doing so,
however, the institution should confirm that
the subpoena complies with the requirements listed above. If it does not, compliance with the subpoena
would not be required by the DMCA and therefore presumably would
be prohibited by the Family Educational Rights and Privacy Act (“FERPA”)
[20 U.S.C. 1232(g)(b)(2)(B)] . Whether a subpoena that does comply
with the DMCA requirements must also comply with the additional
requirements of FERPA – including notification of the affected students
in advance of compliance – is an open question . Institutions
would be wise to continue to insist on compliance with FERPA until
this issue is resolved.