Re: DMCA Infringement Handling

["Jacobson, Dick" <dick.jacobson () NDUS EDU>]

This discussion pops up every now and then and invariably turns to the inadequacies or "blatant disregard for the law" 
by those sending the DMCA take down notices.  In the past I have had numerous discussions with (among others) Steve 
Worona regarding the moral and ethical aspects of those employing the DMCA for their purposes.  I believe we can take 
whatever personal stance we want but the one that we need to live with is that the DMCA is the law.  Our words and 
actions can either protect our institutions or place them in jeopardy but, whatever our stance, our words and actions 
will serve to educate our students.

We are not merely teaching them English and History but also, whether we want to admit it or not, we are teaching them 
a little bit of how to get along.  Most of us are not attorneys or even in law school, so our moral and ethical 
education has a different focus but not necessarily a different impact.  As someone else mentioned, I can help the 
students not only learn a legal lesson but this lesson does not entail huge fines or any jail time.

I disagreed with one of our System Attorneys that told me that the takedown notices should be treated as valid even if 
they did not have the exact wording I wanted; but I think he was right for what we are trying to teach in our 
environment.

Having said that, it has been a long time since I have seen a false positive.  There have been times when our logs did 
not 100% identify an individual but that invariably turned out to be a deficiency in our logging environment or a bad 
clock on the box or ....  In many of those instances we could easily identify someone by looking at other logs and, a 
couple times the machines and networks just did not keep the logs.  And there are always the users that say "not me" 
but it has been a long time since I have seen a false positive.

And I don't think I have ever seen a DMA complaint for an IP number not registered to us. There may be some that we 
have sublet to other entities, but they are still registered to us with ARIN.

OK - off my soapbox and back to work.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adrian 
Teo
Sent: Thursday, September 15, 2011 5:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DMCA Infringement Handling

Agreed.

I built a small homegrown script to help us automate DMCA Infringement handling. Out of this I learned a lot, and this 
is just by looking the DMCA reporting/notice system used by the copyright enforcers.

 1.  We get a ton of false positives. This includes mismatched IP/timestamps etc.
 2.  As Matt mentioned, a ton of the DMCA notices are for IP's outside our networks (i.e. Not even from our university 
network!!)
 3.  DMCA complaints have to be worded a certain way for them to be legally binding. Some "smart" enforcers have 
changed the wording of the complaint and that raises red flags making the notices invalid.
 4.  The enforcers seem to gravitate to the established ACNS XML standard for their complaint. We use this to automate 
our handling but several companies have arbitrarily defined their own modifications to their standard - which gives us 
a ton of headaches since they change them willy-nilly.

I found that valid notices only account for less than 13% of the total notices that we receive daily. We had since 
implemented network filters to eliminate (almost 100%) all P2P traffic and the complaints have gone down significantly, 
but this has not changed the percentage of invalid complaints.

Anyway, I hope that sharing this helps out by giving some insight to the DMCA complaint systems.

Regards

-AT

--
-------------------------------------------------------------------
Adrian W Teo       e: adrian.teo () asu edu      p: 480.452.8165
Information Security Architect
University Technology Office                  f: 480.965.6317
Arizona State University                      o: CPCOM 4S72
-------------------------------------------------------------------



________________________________
From: "Arthur, Matt" <arthur () WUSTL EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thu, 15 Sep 2011 16:13:17 -0500
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] DMCA Infringement Handling

A couple of thoughts (along with our 'policy' URL for students and copyright):
1) Neither DMCA nor HEAO requires you fine or disable anyone on a first offense.  You must take 'action' for 'repeated' 
violations.
2) A policy that takes some kind of 'action' (fines or disable network access) on the first DMCA complaint seems to 
violate the concept of innocent until proven guilty.  Something that I doubt institutions of higher learning in the 
United States should be doing (my opinion).
3) We have noticed that more and more of our DMCA notices are for IP addresses outside of the student networks.  Do you 
'fine' faculty and staff members as well?
4) Be sure your institutions policy covers your requirements pursuant to the HEOA P2P section.  And then be sure you 
follow your policy!
5) Our student policy URL: http://sts.wustl.edu/index.php?option=com_content&view=article&id=59&Itemid=69

Matt
______________________________________
Matthew K. Arthur, CISSP | Director - Media Services & Incident Communications Solutions
Information Services & Technology | Washington University in St. Louis
Campus Box 1110, 7425 Forsyth Blvd, St. Louis, MO 63105-2161
314.935.3899 o | 314.323.9246 c | arthur () wustl edu <mailto:arthur () wustl edu>
P Please consider the environment before printing
This email, including attachments may include confidential and/or proprietary information, and may be used only by the 
person or entity to which it is addressed. If the reader of this email is not the intended recipient or his/her 
authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this email is 
prohibited. If you have received this email in error, please notify the sender by replying to this message and delete 
this email immediately.



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn
> Sent: Thursday, September 15, 2011 3:30 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] DMCA Infringement Handling
>
> We are considering revising our DMCA infringement handling procedures, especially with
> regard to repeat infringers.
>
> I wonder what everybody else is doing with these issues?
>
> We match up the complaint with our IP>Etnernet assignment and network traffic logs.  I
> forward the complaint to the student and disable their ethernet card registration.  They are
> required to pay $50 and give an assurance that the infringing file(s) and filesharing
> software have been removed.  I then re-enable their ethernet card registration for access to
> our network.
>
> Repeat infringers get the same procedure except that they also are referred to the VP for
> Student Services for some sort of an appointment.  I do not know what happens in that
> appointment.
>
> Would you share with me, so I could tabulate it and present the options others use to our
> administration:
>
> 1) What is your charge or penalty for first and repeat infringement?
> 2) When do disciplinary staff intervene?  first time or repeats?
> 3) How long do you deny network access?
> 4) If a student has multiple devices, do you deny access to all devices or just the one
> implicated in the complaint?
> 5) Who was involved in the approval process for your procedures?
> 6) How much pushback to you get from users who receive infringement notices?
> 7) Do you have an appeals process that has ever given an infringing user any relief?
> 8) May I use your institution name along with your other responses in my report to the
> administration?
>
> Finally, a slightly separate question:
> 9) Do you ever get complaints forwarded from an agent of the pornography industry?  (we
> have seen a few recently)
>
> Thanks for any info you are willing to share.
>
> Bob Bayn          (435)797-2396            IT Security Team
> We will never send you email asking for your password
> (never, never, never with this one exception: NEVER!)
> Office of Information Technology, Utah State University
>        http://tinyurl.com/bicyclists-share-kidneys-v2-0
>         USU employees - join the Phirst Phish Contest
>      http://it.usu.edu/security/htm/phirst-phish-contest