Thursday, January 8, at 1 p.m., U.S. Eastern time


A federal appeals court last month severely hindered the ability of the Recording Industry Association of America to use fast-track subpoenas to glean the identity of people, including college students, whom it suspects of trading music online. The group has been using the information to file copyright-infringement lawsuits against the suspects. But the court said the Digital Millennium Copyright Act does not allow the subpoenas to be served on Internet service providers whose networks are mere conduits for file-sharing. How does the ruling change the relationship between colleges and the recording-industry group? Should colleges help the group ferret out file sharers on campuses? Are colleges legally obligated to assist the group? What obligation, if any, do college officials have to assist the recording industry in tracking and punishing students who use college networks to swap music online in violation of copyright law?

A transcript of the chat follows.

Andrea L. Foster (Moderator):
    Hello, I'm Andrea Foster, a staff reporter here at The Chronicle of Higher Education.

Today we're going to be discussing the implications for colleges of the federal-appeals court decision that curtailed the ability of the Recording Industry Association of America to use fast-track subpoenas to identify people who swap music online.

Our guest today is Charles R. Nesson, a professor at Harvard Law School, and the faculty co-director of Harvard's Berkman Center for Internet & Society.

Welcome, Charles.

Charles R. Nesson:
    Hello,

I understand that we will be discussing the implications of the recent Verizon opinion for universities. Prior to the Verizon decision, universities had been "responding expeditiously" (to use the language of DMCA section 512(i)) when notified that one of its students was offering copyrighted material in a publicly shared folder. The Verizon decision suggests that universities may now be able to maintain that they are mere conduits and do not control the infringing material on their students' computers, and therefore have no obligation to respond to notices of infringement.

I look forward to talking with you at two levels: First, in light of the Verizon decision, what does the law require of universities with respect to alleged infringers and repeat infringers? And second, quite independent of the law, what should university policy be, judged in terms of its own goals and interests?

I hope we have an interesting an informative chat.

Question from Andrea L. Foster:
    I want to start by asking you why you think the ruling suggests that universities now have no obligation to respond to notices of infringement?

Charles R. Nesson:
    I'm not ready to go that far. But if I were, this would be my argument. We are talking about students with infringing materials on their machines being communicated through the university network. That means the university is just a conduit, and 512(a) covers. 512(a) has no notice and takedown provision. That leaves 512(i) as the only source of obligation. 512(i) requires the university, as a condition to keeping its safe harbor, to adopt and reasonably implement a policy that provides for the termination of "repeat infringers." But the university has no duty to investigate and determine who is and who is not an infringer, no less a repeat infringer. This means that the university is not obliged to do anything beyond announcing a policy until it a duly constituted court determines that one of its users is a "repeat infringer."

Question from Liane Curtis, Brandeis University (Women's Studies Research Center):
    RIAA's request for universities to supply information about students who use computer systems for file sharing, seems to me to be the same as asking universities to track the use of their photocopiers (since many ID cards also serve as copy cards, this could easily be done). Could the print media industries follow RIAA in requesting this information? Thank you.

Charles R. Nesson:
    Other print media industries could ask, but they don't have the DMCA in back of them, so no need to answer. Whether the DMCA requires answers to RIAA requests we will talk about below.

Question from Andrea L. Foster:
    Are universities ethically obligated to comply with these infringement notices?

Charles R. Nesson:
    I would say yes, although the response need not be draconian. Peer to peer file-sharing of copyrighted music strikes me as in the same league with underage drinking and smoking weed, not something to get all moralistic about. On the other hand, it is against the law, and universities have a role to play in teaching their students and faculties to be law abiding. To completely ignore notices of infringement will be seen by many as a form of protection and encouragement of illegal activity. Passing on a notice to a user that tells the user someone is watching would seem a stronger and wiser posture to me. It would also insulate against the risk of losing safe harbor.

Question from Rick Richmond, University of Wisconsin-Eau Claire:
    If a university forwards a copyright infringement takedown notice to a student, must the university perform any specific followup steps to ensure that the student has complied with the takedown request?

Charles R. Nesson:
    512(m) of the DMCA disclaims any intention of conditioning safe harbor on a service provider "monitoring its service or affirmatively seeking facts indicating infringing activity." The legislative history, in addition, disclaims any pressure on a service provider "to make difficult judgments as to whether conduct is or is not infringing." This certainly looks like the answer to the question is "no", the university need not perform any specific followup. Looking the other way, though, is the aforementioned provision 512(i) which calls upon the provider to "reasonably implement" is repeat infringer policy. Can the university say it has reasonably implemented a policy it does nothing to enforce?

Question from Adam R. Albina, CIO Saint Anselm College, NH:
    In light of the recent appeals-court ruling that determined that the vehicle for the most recent rash of RIA subpoenas didn't apply to providers that served as a mere conduit for the transmission of information sent by others; do you think that the RIA will now focus on the liability of those providers - specifically higher education?

Charles R. Nesson:
    This would seem a logical step for several reasons. First, universities are not likely to resist as strenuously as commercial service providers. Commercial service providers lose paying customers when they terminate users, and it's very bad public relations. Universities risk less by enforcing their user agreements. Second, universities have an in loco parentis relationship to their students. They have a governance structure that defines responsibilities, gives counsel and imposes discipline. This relative closeness of relationship suggests a more affirmative approach to insisting on lawful behavior. If universities can be persuaded to go along with RIAA compliance, then RIAA can more easily claim to Congress and courts that commercial isp's should me made to do the same.

Question from Scott Menter, UC Irvine:
    Unlike an ISP, the University network exists to support the needs of the institution itself, rather than simply supplying transport for the needs of subscribers. Doesn't that distinction sufficiently distinguish the University from an ISP like Verizon in such a way as to suggest that the law might apply differently in the University context?

Charles R. Nesson:
    Yes. The statutory language is "reasonably implement ..." and what is reasonable for a university might well be different from what is reasonable for a commercial provider. Take record keeping for instance. A university would seem to have many more reasons for keeping track of which of its users is on what ip address at what time than a commercial user. This suggests that a university that stopped keeping such records would more easily be found to be acting unreasonably than would a commercial provider.

Question from Rafael Venegas GVL Inc. http://www.gvenegas.com:
    Music downloaders and uploaders who may know nothing about copyright laws are being threatened with a fine of up to $150,000 for infringement of one song, the same amount that can be obtained in a lawsuit against an RIIA member (who should know about copyright law) for making one million records without a license (another form of piracy). The fact that the Copyright Act can produce such disparate sentencing results (or threats)could be described as a defect in the law. The question: Is there a constitutional issue here, when the law can produce so disparate results and no equity at all? Is the laws constitutional in your opinion?

Charles R. Nesson:
    Outrageous, but I'd be amazed if a court declared it unconstitutional.

Question from Chris Faigle, University of Richmond:
    The record industry's reported response to the Verizon ruling was that they will now simply sue in open court using John Doe, rather than issue cease and desist orders. Do we have an ethical obligation to in essence protect the students from themselves? or simply to inform them en masse that their behavior is likely to land them in trouble? Are we distinct from being an ISP in the sense that we have an ongoing relationship with the students that supercede the provisison of Internet access, which a pay-for ISP does not?

Charles R. Nesson:
    The filing of a John Doe lawsuit and the issuance of a subpoena to the university in connection with the suit will require the university to divulge whatever information it has identifying the user associated with the designated IP address. One question is whether the university should keep such information. If the university adopts a policy of not keeping such information, then I don't see how the RIAA gets to the student. But failing to keep such information could threaten the university's safe harbor. Assuming that the university keeps identifying information, it will have to be turned over, with the consequence that the student will be directly involved as the target of an infringement suit. Bottom line, yes, by all means, explain to students what your policy is and what their potential exposure is under it.

Question from Dr. William Lantry, The Catholic University of America, Center for Planning and Information Technology:
    The law in this area seems subject to rapid change. If a university announces a policy in September that seems to comply with current law at the time, how can the university prevent establishing a practice that will quickly becomen arcane under the law? Is it possible that the university will have committed itself to a position that the RIAA might argue legally binds the university in any litigation?

Charles R. Nesson:
    There are some base line problems stemming from the flex in what will be considered reasonable. A university that has been following a policy of passing on notices of infringement to students will have a tough time claiming that an RIAA request to them to continue doing so is unreasonable. A university that keeps no identifying records will be more vulnerable if at one time it kept such records and has changed its policy.

Question from Dedra Chamberlin, UC Berkeley:
    We have been having a discussion about what constitutes a "repeat" offender. We have quite a few cases where we receive more than one take down notice for a student within the same week. Internally, we have decided to treat cases as a "repeat" only if we have had adequate time to inform students about a first violation and resolve the case. Any subsequent cases are then treated as a repeat. But cases that come in before the first case is resolved (usually around 2-3 days) are ignored. Do you see any problem with that from a legal standpoint?

Charles R. Nesson:
    This seems completely right. A hyper-technical interpretation of the statute that made a repeat infringer out of a student who put up a hot song that three people immediately downloaded would make no sense in terms of the evident purpose of the statute. "Repeat infringer" makes sense as a criteria for termination only if carries an element of recalcitrance, such as continuing to infringe after being caught once.

Question from Eric Yordy, Northern Arizona University:
    As an institution, we have worked out a procedure where the ITS department contact students on a first time notification as we have discovered that many students do not realize that they are sharing information that is copyrighted. After the first discussion with ITS, they are referred to my office for judicial action under the assumption that they know what they are doing at this point. We feel that this is sufficient to show that we do take it seriously while keeping in mind that we are educationally based. Our goal is to teach the student not to violate the law. Any thoughts on our approach?

Charles R. Nesson:
    Your approach seems just right to me. Even when referred to you the first time for judicial action, termination need not be the result. The second time they are referred to you may be time enough for such an extreme sanction, which, for a student, is how I would characterize it.

Question from Stephen Franklin, University of California, Irvine:
    Please expand on your statement "A university wouldseem to have many more reasons for keeping track of which of its users is on what ip address at what time than a commercial user."

Charles R. Nesson:
    Suppose an IP address is used in a manner that harasses another student, or libels someone, or promotes fraud, or otherwise causes harm. The relationship of a university to its students suggests to me that in such circumstances the university would want a means of tracking and resolving the problem. If the problem were to blow up in the press, for example, the university's name would be involved in a way that would not be the case for Verizon if the user were merely a Verizon customer.

Question from Elaine N. Ward, University of Texas at Austin:
    Mr. Nesson-- In your opening remarks you said that prior to Verizon decision, universities had been "responding expeditiously" . . . when notified that one of its students was offering copyrighted material in a publicly shared folder," and that "The Verizon decision suggests that universities may now be able to maintain that they are mere conduits and do not control the infringing material on their students' computers, and therefore have no obligation to respond to notices of infringement." It seems that you may be saying that implications of the Verizon decision went beyond the question of whether the subpoena process used by recording industries was in compliance with the DMCA and the case could be interpreted to mean that universities who are acting as ISPs have no legal obligation to respond to the recording industries' DMCA notifications when private computers attached to the universities' networks are involved. Is this a fair statement of what you are saying? Even if this is so, might not universities still have educational, operational, ethical, and policy considerations that would support investigation when any credible report of misuse of their resources?

Charles R. Nesson:
    Yes and yes. But I need to be careful. The Verizon decision suggests a reading of the DMCA that absolves service providers of the duty of passing on infringement notices to users for whom the provider is merely a conduit. But this is only one court's decision, and it was not directed squarely at that question. Other courts may see the situation differently and say a "reasonably implemented" policy of terminating repeat infringers requires a provider to pass on notices of infringement, otherwise how would repeat infringement ever be established? And yes, universities still have educational, operational, ethical and policy considerations independent of their *legal* obligations to see that their resources are not misused.

Question from Kyle Barger, Lutheran Theological Seminary at Philadelphia:
    "..a university that stopped keeping such records would more easily be found to be acting unreasonably than would a commercial provider." What is a reasonable amount of time for which an institution should retain such information?

Charles R. Nesson:
    Time limits such as this tend to be arbitrary. Three years would be safe. Section 512(e) of the statute addresses limitation of liability of nonprofit educational institutions and speaks of a 3-year period as a time-frame within which multiple notifications of claimed infringement by faculty members may result in the institution losing the protection of the section.

Andrea L. Foster (Moderator):
    That will have to be our last question. We are now out of time. Thank you, Charles, for being our guest today.

Charles R. Nesson:
    Excellent questions. This area of the law is indeed on the move. A case presently on appeal in the Ninth Circuit (Ellison) should bring some enlightenment about the meaning of "repeat infringer" and the nature of a provider's obligations under 512(i). (The Ellison opinion and briefs on appeal are usefully collected at http://www.authorslawyer.com/ellison/.) Thank you for participating with me.