Thursday, January 8, at 1 p.m.,
U.S. Eastern time
A federal appeals court last month severely hindered the ability of the
Recording Industry Association of America to use fast-track subpoenas to glean
the identity of people, including college students, whom it suspects of trading
music online. The group has been using the information to file
copyright-infringement lawsuits against the suspects. But the court said the
Digital Millennium Copyright Act does not allow the subpoenas to be served on
Internet service providers whose networks are mere conduits for file-sharing.
How does the ruling change the relationship between colleges and the
recording-industry group? Should colleges help the group ferret out file
sharers on campuses? Are colleges legally obligated to assist the group? What
obligation, if any, do college officials have to assist the recording industry
in tracking and punishing students who use college networks to swap music
online in violation of copyright law?
A transcript of the chat follows.
Andrea L. Foster (Moderator):
Hello, I'm Andrea Foster, a staff reporter here at The
Chronicle of Higher Education.
Today we're going to be discussing the implications for colleges of the federal-appeals court decision that curtailed the ability of the Recording Industry Association of America to use fast-track subpoenas to identify people who swap music online.
Our guest today is Charles R. Nesson, a professor at Harvard Law School, and the faculty co-director of Harvard's Berkman Center for Internet & Society.
Welcome, Charles.
Charles R. Nesson:
Hello,
I understand that we will be discussing the implications of the recent Verizon
opinion for universities. Prior to the Verizon decision, universities had been
"responding expeditiously" (to use the language of DMCA section
512(i)) when notified that one of its students was offering copyrighted
material in a publicly shared folder. The Verizon decision suggests that
universities may now be able to maintain that they are mere conduits and do not
control the infringing material on their students' computers, and therefore
have no obligation to respond to notices of infringement.
I look forward to talking with you at two levels: First, in light of the
Verizon decision, what does the law require of universities with respect to
alleged infringers and repeat infringers? And second, quite independent of the
law, what should university policy be, judged in terms of its own goals and
interests?
I hope we have an interesting an informative chat.
Question from Andrea L.
Foster:
I want to start by asking you why you think the ruling
suggests that universities now have no obligation to respond to notices of
infringement?
Charles R. Nesson:
I'm not ready to go that far. But if I were, this would
be my argument. We are talking about students with infringing materials on
their machines being communicated through the university network. That means
the university is just a conduit, and 512(a) covers. 512(a) has no notice and
takedown provision. That leaves 512(i) as the only source of obligation. 512(i)
requires the university, as a condition to keeping its safe harbor, to adopt
and reasonably implement a policy that provides for the termination of
"repeat infringers." But the university has no duty to investigate
and determine who is and who is not an infringer, no less a repeat infringer.
This means that the university is not obliged to do anything beyond announcing
a policy until it a duly constituted court determines that one of its users is a
"repeat infringer."
Question from Liane Curtis,
Brandeis University (Women's Studies Research Center):
RIAA's request for universities to supply information
about students who use computer systems for file sharing, seems to me to be the
same as asking universities to track the use of their photocopiers (since many
ID cards also serve as copy cards, this could easily be done). Could the print
media industries follow RIAA in requesting this information? Thank you.
Charles R. Nesson:
Other print media industries could ask, but they don't
have the DMCA in back of them, so no need to answer. Whether the DMCA requires
answers to RIAA requests we will talk about below.
Question from Andrea L.
Foster:
Are universities ethically obligated to comply with
these infringement notices?
Charles R. Nesson:
I would say yes, although the response need not be
draconian. Peer to peer file-sharing of copyrighted music strikes me as in the
same league with underage drinking and smoking weed, not something to get all
moralistic about. On the other hand, it is against the law, and universities
have a role to play in teaching their students and faculties to be law abiding.
To completely ignore notices of infringement will be seen by many as a form of
protection and encouragement of illegal activity. Passing on a notice to a user
that tells the user someone is watching would seem a stronger and wiser posture
to me. It would also insulate against the risk of losing safe harbor.
Question from Rick Richmond,
University of Wisconsin-Eau Claire:
If a university forwards a copyright infringement
takedown notice to a student, must the university perform any specific followup
steps to ensure that the student has complied with the takedown request?
Charles R. Nesson:
512(m) of the DMCA disclaims any intention of
conditioning safe harbor on a service provider "monitoring its service or
affirmatively seeking facts indicating infringing activity." The
legislative history, in addition, disclaims any pressure on a service provider
"to make difficult judgments as to whether conduct is or is not
infringing." This certainly looks like the answer to the question is
"no", the university need not perform any specific followup. Looking
the other way, though, is the aforementioned provision 512(i) which calls upon
the provider to "reasonably implement" is repeat infringer policy.
Can the university say it has reasonably implemented a policy it does nothing
to enforce?
Question from Adam R.
Albina, CIO Saint Anselm College, NH:
In light of the recent appeals-court ruling that
determined that the vehicle for the most recent rash of RIA subpoenas didn't
apply to providers that served as a mere conduit for the transmission of
information sent by others; do you think that the RIA will now focus on the
liability of those providers - specifically higher education?
Charles R. Nesson:
This would seem a logical step for several reasons.
First, universities are not likely to resist as strenuously as commercial
service providers. Commercial service providers lose paying customers when they
terminate users, and it's very bad public relations. Universities risk less by
enforcing their user agreements. Second, universities have an in loco parentis
relationship to their students. They have a governance structure that defines
responsibilities, gives counsel and imposes discipline. This relative closeness
of relationship suggests a more affirmative approach to insisting on lawful
behavior. If universities can be persuaded to go along with RIAA compliance,
then RIAA can more easily claim to Congress and courts that commercial isp's
should me made to do the same.
Question from Scott Menter,
UC Irvine:
Unlike an ISP, the University network exists to support
the needs of the institution itself, rather than simply supplying transport for
the needs of subscribers. Doesn't that distinction sufficiently distinguish the
University from an ISP like Verizon in such a way as to suggest that the law
might apply differently in the University context?
Charles R. Nesson:
Yes. The statutory language is "reasonably
implement ..." and what is reasonable for a university might well be
different from what is reasonable for a commercial provider. Take record
keeping for instance. A university would seem to have many more reasons for
keeping track of which of its users is on what ip address at what time than a
commercial user. This suggests that a university that stopped keeping such
records would more easily be found to be acting unreasonably than would a
commercial provider.
Question from Rafael Venegas
GVL Inc. http://www.gvenegas.com:
Music downloaders and uploaders who may know nothing
about copyright laws are being threatened with a fine of up to $150,000 for
infringement of one song, the same amount that can be obtained in a lawsuit
against an RIIA member (who should know about copyright law) for making one
million records without a license (another form of piracy). The fact that the
Copyright Act can produce such disparate sentencing results (or threats)could
be described as a defect in the law. The question: Is there a constitutional
issue here, when the law can produce so disparate results and no equity at all?
Is the laws constitutional in your opinion?
Charles R. Nesson:
Outrageous, but I'd be amazed if a court declared it
unconstitutional.
Question from Chris Faigle,
University of Richmond:
The record industry's reported response to the Verizon
ruling was that they will now simply sue in open court using John Doe, rather
than issue cease and desist orders. Do we have an ethical obligation to in
essence protect the students from themselves? or simply to inform them en masse
that their behavior is likely to land them in trouble? Are we distinct from
being an ISP in the sense that we have an ongoing relationship with the
students that supercede the provisison of Internet access, which a pay-for ISP
does not?
Charles R. Nesson:
The filing of a John Doe lawsuit and the issuance of a
subpoena to the university in connection with the suit will require the
university to divulge whatever information it has identifying the user
associated with the designated IP address. One question is whether the
university should keep such information. If the university adopts a policy of
not keeping such information, then I don't see how the RIAA gets to the
student. But failing to keep such information could threaten the university's
safe harbor. Assuming that the university keeps identifying information, it
will have to be turned over, with the consequence that the student will be
directly involved as the target of an infringement suit. Bottom line, yes, by
all means, explain to students what your policy is and what their potential
exposure is under it.
Question from Dr. William
Lantry, The Catholic University of America, Center for Planning and Information
Technology:
The law in this area seems subject to rapid change. If
a university announces a policy in September that seems to comply with current
law at the time, how can the university prevent establishing a practice that
will quickly becomen arcane under the law? Is it possible that the university
will have committed itself to a position that the RIAA might argue legally
binds the university in any litigation?
Charles R. Nesson:
There are some base line problems stemming from the
flex in what will be considered reasonable. A university that has been
following a policy of passing on notices of infringement to students will have
a tough time claiming that an RIAA request to them to continue doing so is
unreasonable. A university that keeps no identifying records will be more
vulnerable if at one time it kept such records and has changed its policy.
Question from Dedra
Chamberlin, UC Berkeley:
We have been having a discussion about what constitutes
a "repeat" offender. We have quite a few cases where we receive more
than one take down notice for a student within the same week. Internally, we
have decided to treat cases as a "repeat" only if we have had
adequate time to inform students about a first violation and resolve the case.
Any subsequent cases are then treated as a repeat. But cases that come in
before the first case is resolved (usually around 2-3 days) are ignored. Do you
see any problem with that from a legal standpoint?
Charles R. Nesson:
This seems completely right. A hyper-technical
interpretation of the statute that made a repeat infringer out of a student who
put up a hot song that three people immediately downloaded would make no sense
in terms of the evident purpose of the statute. "Repeat infringer"
makes sense as a criteria for termination only if carries an element of
recalcitrance, such as continuing to infringe after being caught once.
Question from Eric Yordy,
Northern Arizona University:
As an institution, we have worked out a procedure where
the ITS department contact students on a first time notification as we have
discovered that many students do not realize that they are sharing information
that is copyrighted. After the first discussion with ITS, they are referred to
my office for judicial action under the assumption that they know what they are
doing at this point. We feel that this is sufficient to show that we do take it
seriously while keeping in mind that we are educationally based. Our goal is to
teach the student not to violate the law. Any thoughts on our approach?
Charles R. Nesson:
Your approach seems just right to me. Even when
referred to you the first time for judicial action, termination need not be the
result. The second time they are referred to you may be time enough for such an
extreme sanction, which, for a student, is how I would characterize it.
Question from Stephen
Franklin, University of California, Irvine:
Please expand on your statement "A university
wouldseem to have many more reasons for keeping track of which of its users is
on what ip address at what time than a commercial user."
Charles R. Nesson:
Suppose an IP address is used in a manner that harasses
another student, or libels someone, or promotes fraud, or otherwise causes
harm. The relationship of a university to its students suggests to me that in
such circumstances the university would want a means of tracking and resolving
the problem. If the problem were to blow up in the press, for example, the university's
name would be involved in a way that would not be the case for Verizon if the
user were merely a Verizon customer.
Question from Elaine N.
Ward, University of Texas at Austin:
Mr. Nesson-- In your opening remarks you said that
prior to Verizon decision, universities had been "responding
expeditiously" . . . when notified that one of its students was offering
copyrighted material in a publicly shared folder," and that "The
Verizon decision suggests that universities may now be able to maintain that
they are mere conduits and do not control the infringing material on their
students' computers, and therefore have no obligation to respond to notices of
infringement." It seems that you may be saying that implications of the
Verizon decision went beyond the question of whether the subpoena process used
by recording industries was in compliance with the DMCA and the case could be
interpreted to mean that universities who are acting as ISPs have no legal
obligation to respond to the recording industries' DMCA notifications when
private computers attached to the universities' networks are involved. Is this
a fair statement of what you are saying? Even if this is so, might not
universities still have educational, operational, ethical, and policy considerations
that would support investigation when any credible report of misuse of their
resources?
Charles R. Nesson:
Yes and yes. But I need to be careful. The Verizon
decision suggests a reading of the DMCA that absolves service providers of the
duty of passing on infringement notices to users for whom the provider is
merely a conduit. But this is only one court's decision, and it was not
directed squarely at that question. Other courts may see the situation
differently and say a "reasonably implemented" policy of terminating
repeat infringers requires a provider to pass on notices of infringement,
otherwise how would repeat infringement ever be established? And yes,
universities still have educational, operational, ethical and policy
considerations independent of their *legal* obligations to see that their
resources are not misused.
Question from Kyle Barger,
Lutheran Theological Seminary at Philadelphia:
"..a university that stopped keeping such records
would more easily be found to be acting unreasonably than would a commercial
provider." What is a reasonable amount of time for which an institution
should retain such information?
Charles R. Nesson:
Time limits such as this tend to be arbitrary. Three
years would be safe. Section 512(e) of the statute addresses limitation of
liability of nonprofit educational institutions and speaks of a 3-year period
as a time-frame within which multiple notifications of claimed infringement by
faculty members may result in the institution losing the protection of the
section.
Andrea L. Foster (Moderator):
That will have to be our last question. We are now out
of time. Thank you, Charles, for being our guest today.
Charles R. Nesson:
Excellent questions. This area of the law is indeed on
the move. A case presently on appeal in the Ninth Circuit (Ellison) should
bring some enlightenment about the meaning of "repeat infringer" and
the nature of a provider's obligations under 512(i). (The Ellison opinion and
briefs on appeal are usefully collected at http://www.authorslawyer.com/ellison/.)
Thank you for participating with me.