DMCA FAQ

FAQ for DMCA Designated Agents at Higher Education Institutions

by Joseph Storch, Heidi Wachs, Kent Wada

About the authors

A Note from the Authors

This FAQ arose out of observing the same questions being raised and discussed over many years on discussion lists, but with no way for people new to the role of DMCA Designated Agent to gain from this wisdom except by searching through archives. Our intent is to help you, the new Designated Agent (as well as your colleagues in student affairs, counsel’s office, and IT), quickly understand the scope of and issues raised by this role. You can use the referenced resources to delve further into the issues raised in this document. The FAQ is not intended to be comprehensive; rather, it strives to provide sufficient awareness to new Designated Agents and their institutional colleagues to avoid being blindsided in their role.

The usual disclaimers apply. The authors hope the information contained herein is helpful, but even though it is filled with jargon, it cannot and must not substitute for proper legal, technical, or policy advice.

This FAQ is intended to be a living document, and we welcome ideas for new questions or different approaches to answers. Please send your feedback to policy@educause.edu.

A. First Steps for DMCA Designated Agents

1. I’m now the DMCA Designated Agent for my institution. What’s first on my list?

Register yourself as the institution’s Digital Millennium Copyright Act (DMCA) Designated Agent with the U.S. Copyright Office. Registering an Agent with the Copyright Office is necessary for your institution to avail itself of the DMCA’s safe harbor under 17 U.S.C. Section 512(c), which protects the institution, as an Internet Service Provider (ISP), from liability for copyright infringement occurring on your network at the direction of users.

Make sure you understand your institution’s policy and/or process for handling DMCA claims (assuming there is one—if not, see Section G, Question 24). Such a policy or process is required to qualify for the DMCA safe harbor under Section 512(c) and may also be something your institution uses to comply with the Higher Education Opportunity Act (HEOA).

Get in touch with others at your institution who have to deal with the DMCA or the HEOA peer-to-peer (P2P) provisions, such as campus counsel, student affairs, communications and marketing, government relations, and IT. Consult broadly within your institution. Take advantage of the EDUCAUSE Resource Center; among the many items found in this resource are model policies and campus plans, from which you can borrow to establish your own.

2. What does the DMCA do?

In 1998, the Digital Millennium Copyright Act (DMCA) updated copyright law by providing the legal framework for how copyright holders make claims of copyright infringement in the digital world, given that only an Internet Service Provider (ISP) (e.g., a cable company, telephone company, college, university, etc.) has the records necessary to match an Internet Protocol (IP) address and time stamp to an individual. The DMCA tries to balance the needs of copyright holders whose digital works can be rapidly, perfectly, and infinitely copied and the liability of an ISP for its users’ infringing activity, all in the context of protecting intellectual property to promote innovation.

Copyright holders are responsible for identifying activity that infringes on their works, and sending a DMCA claim (see Section B, Question 4) to the ISP from which the alleged infringement came. The ISP must follow certain procedures (for example, registering a Designated Agent with the US Copyright Office) if it wishes to avail itself of the safe harbors afforded by the DMCA. These safe harbors are, however, optional and an institution is free to ignore the procedures (and most of what is written in this document) if it chooses to forego the DMCA’s liability shelter and rely only on traditional copyright defenses (e.g., making a fair use argument). Of course, typically institutions will want to keep the door open for as many defenses/safe harbors as possible.

In 2008, the Higher Education Opportunity Act (HEOA) added obligations to higher education institutions with respect to combating illegal peer-to-peer (P2P) file sharing. In some cases, these additional obligations codified as federal regulatory requirements what institutions were already doing by policy choice. Unlike the DMCA, the HEOA requirements are mandatory and its provisions only apply to higher education institutions (i.e., not all ISPs).

B. Receiving DMCA Notices of Copyright Infringement (“DMCA Takedown Notices”)

3. What do I do when I receive a DMCA notice?

Panic. Then, follow your institution’s established procedures (see Section A, Question 1) for responding to a DMCA notice.

4. How do I know that a DMCA notice is valid?

To be effective, a “notice” must be a written communication to a service provider’s designated agent that includes “substantially” the following:

1. a physical or electronic signature of a person authorized to act on behalf of the owner;
2. identification of the copyrighted work alleged to be infringed;
3. identification of the material claimed to be infringing or which is the subject of infringing activity;
4. information sufficient to allow the ISP’s designated agent to contact the complaining party, e.g., address, telephone number, and e-mail address;
5. a statement that the complaining party has a good faith belief that use of the material is unauthorized; and
6. a statement that the information in the notice is accurate and, under penalty of perjury, that the complaining party is authorized to act on behalf of the owner. (17 U.S.C. § 512 [c][3][A].)

To be effective, a notice must contain substantially all the information referenced above. If the notice provides substantially the information required in items b, c, and d above, the service provider has an obligation to attempt contact with the complaining party and take other “reasonable steps” to obtain a notice that complies with all requirements. If this information is not obtained after “reasonable” attempts, the service provider will not be considered to have actual knowledge of infringement or infringing activity and need not follow its takedown procedure.

When DMCA notices contain technical errors or do not formally comply with each item above, many institutions nevertheless treat the notice as complying in “good faith.” Whether to offer this good faith in accepting and taking action on technically faulty DMCA notices is a policy decision for each institution. Whichever way the institution decides, it should treat such notices uniformly, and not pick and choose—whether because of the content of the notice, the identity of the sender, or the ease of compliance.

5. What is that stuff in a notice with all the weird characters, like < / and >?

A valid claim contains many pieces of information. However, there is a small set of core information needed to process a claim, such as when the alleged infringement activity occurred and from what IP address it originated. This core information is embedded in the free-form text of a claim intended to be read by human beings; but such text can vary significantly in form and wording depending on the wishes of a given copyright holder.

To make automated computer processing of claims more straightforward, this core information is often duplicated in a specific format intended for machine parsing: see Automated Copyright Notice System (ACNS). Such ACNS-formatted information is usually part of the body of the claim e-mail, but sometimes appears as an e-mail attachment. Some institutions use this as part of their automated claims processing.

Most major rightsholders are now including ACNS-formatted data as part of their claims, recognizing that it can help claim receivers to process their claims. But many smaller rightsholders do not do this, and there is no requirement to do so.

6. What if a DMCA notice is sent to an address other than the one my institution has on file with the U.S. Copyright Office? What if I send a correction, but they ignore it and keep sending to the wrong address?

Technically, DMCA notices must be sent to the address on file with the Copyright Office. Different institutions have adopted different approaches when faced with a notice sent to someone other than the Designated Agent. For example, they have chosen, whether by policy or by practice, to:

• ignore such notices;
• ask those within the institution who receive an incorrectly addressed notice to forward it to the Designated Agent;
• have those within the institution who receive an incorrectly addressed notice write back to the sender stating that the notice was sent to the wrong address, pointing to the address on file with the U.S. Copyright Office; or
• comply with the notice in “good faith,” while simultaneously notifying the sender that the notice was sent to the wrong address.

7. What if I can’t match the IP address and time stamp given in a DMCA notice to an individual?

If your institution, after taking reasonable efforts to investigate and match a user to the IP address designated in the DMCA notice, cannot, for technical or other legitimate reasons, match a user to this IP address, the DMCA does not specifically require any other action.

Be mindful that the automated systems that generate the bulk of the DMCA notices received by institutions are not infallible. There have been several times in the past where batches of “bad” DMCA notices that did not correspond to actual activity were generated.

8. How long must my institution maintain Internet Protocol (IP) logs?

Only for as long as your business purposes require. The DMCA does not include a records retention requirement for IP logs.

C. Acting on DMCA Claims

9. Do I have a legal obligation to write back to the notice issuer about actions I have taken?

For instance, do I have a legal obligation to communicate:

• That I have received the notice?
  No.
• That I have taken down the content?
  No.
• That I have punished the user by terminating him or her?
  No.

You have no legal obligation to communicate directly with the sender of the DMCA notice about which actions, if any, you have chosen to take; and there are no penalties if you choose not to notify the sender of your actions. Some institutions do, however, opt to acknowledge receipt of a notice, or to convey what actions have been taken. This is a policy decision of the institution.

10. Is there a deadline that I must meet in responding to a DMCA notice?

The DMCA requires that, to maintain the safe harbor, an ISP, upon “obtaining such knowledge or awareness [of infringing material, likely through a DMCA notice], acts expeditiously to remove, or disable access to, the material” (17 U.S.C. § 512 [c][1][A]). The term “expeditiously” is not defined in the statute and no definitive amount of days or hours has been established in law.

11. Are there different requirements for claims relating to student-owned computers (e.g., in residence halls) than for computers owned by the institution?

Resources owned by an institution—such as faculty, staff, or computer lab computers—fall under 17 U.S.C. Section 512(c). This section provides a safe harbor for an ISP so that it is not liable for monetary damages for infringing materials on its servers provided it does not have “actual knowledge” of the infringing material, does not receive a direct financial benefit from the infringement, and, when notified, responds “expeditiously” to remove the infringing material or disable access to such material.

Most student and guest activity on university networks occurs through personally owned equipment and thus falls under 17 U.S.C. Section 512(a). This section provides immunity to the ISP for information that simply transits the ISP’s networks, with no direction, input, or interference from the ISP itself, and is not stored anywhere on the ISP’s network. Notably, no additional proactive steps are required for an ISP to avail itself of this immunity. However, for a variety of reasons, some institutions have made a policy decision to treat these notices as if they fall under Section 512(c), terminating users from the network unless and until the infringing content is removed. Often such activity is handled through a student affairs process, rather than as a legal or IT matter, so as to seize upon a “teachable moment” for students. And while there may be no legal requirements under this section of the DMCA, the HEOA requirements still apply. See Question 18.

12. Am I obligated to determine whether infringement actually occurred (given that DMCA notices are claims of infringement)?

No. Under the DMCA, all claims must be made on a “good faith” basis and under penalty of perjury, and the ISP’s role is to act expeditiously to take down the allegedly infringing material (if under Section 512(c), see Section C, Question 11). A counterclaim can be made by the alleged infringer, in which case the ISP is obligated to restore the material in a time frame specified by the DMCA, after which point the matter is adjudicated in court.

Student judicial officers at many institutions often investigate as part of the institution’s internal student judicial process, independent of the legal system. This is a policy decision made on an institution by institution basis.

It is possible, however, to go too far in proactively seeking potentially infringing activity on your institution’s network in that it may, in fact, jeopardize your safe harbor under the DMCA because you would have knowledge of the activity. There is a significant difference between doing due diligence when notified of possible infringing activity and having the institution proactively looking for such activity.

13. What does it mean to terminate repeat infringers (must I kill them?!?)?

Decisions on treatment of repeat infringers are made on an institution by institution basis. Despite its name, you need not treat your students as this Terminator would: http://en.wikipedia.org/wiki/The_Terminator. Each institution’s DMCA procedures are based on that institution’s policies and values, and integration with actions taken for other student or employee conduct problems. The DMCA sets out a legal requirement to terminate (17 U.S.C. § 512 [i]) repeat infringers, yet performing independent investigations of potentially infringing activity could put the institution’s safe harbor in jeopardy. This ambiguity is why institutions choose to make individualized decisions how they handle this scenario.

Examples of actions institutions have taken to terminate repeat infringers include:

• immediate disconnection from the network upon receipt of a DMCA notice;
• network access limited to only academic resources (e.g., Blackboard/Moodle, or the campus library website); or
• disconnection from the network, coupled with fines to reconnect.

14. I have received a DMCA notice that asks me to forward on a pre-litigation settlement letter to the infringer. Must I do so?

The DMCA does not address pre-litigation letters and there is no requirement that institutions forward pre-litigation settlements to anyone. The legal requirements of the DMCA are limited to those set out above.

However, in practice, many institutions make a policy decision to forward such notices as a service to students, who might otherwise eventually opt to settle at a higher cost. Other institutions have chosen to forward only the DMCA take-down notice portion. This is a conversation to have with your institution’s student affairs professionals.

D. What if my campus receives a subpoena?

15. I have received a subpoena, what should I do?

Contact your office of university counsel, or whoever is the primary legal representative on your campus.

16. If I am asked to provide FERPA-protected information in response to a subpoena, what rules apply to providing that information?

The Family Education Rights and Privacy Act (FERPA) is a Federal law that governs access to student education records. Applicable data from student records may not be released except in certain circumstances.

Included in that is a waiver by the student. In other words, with the informed written consent of a student, the college may release records to any party for whom the student consents.

Additionally, records may be released if “[t]he disclosure is to comply with a judicial order or lawfully issued subpoena” (34 CFR 99.31[a][6][ii][C][9][i]). The definition of “judicial order” or “lawfully issued subpoena” is different in different states. Contact campus counsel for more information.

In addition, prior to disclosing, FERPA requires that the college “makes a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, so that the parent or eligible student may seek protective action” (34 CFR 99.31[a][6][ii][C][9][ii]) (the only exceptions are for grand jury and criminal subpoenas, not applicable here). While FERPA does not establish definitive time frames, many colleges set a ten business day or two calendar week minimum time period from the time of notification of a student to the time when the records are released. This gives the student and his or her family sufficient time to consult with an attorney and provide the college with notice that they have moved to quash a subpoena. If the college receives such notice, it may in good faith temporarily withhold the information from the requester until such time as the motion to quash is ruled upon, and the applicable appeal period for that ruling has completed.

17. What should a FERPA subpoena notification letter to students say?

FERPA does not establish any specific required language for a FERPA notification letter. Below are some sample letter paragraphs that college officials may freely draw from in creating their own letters.

Dear ________________:

We recently received a subpoena from [LAW FIRM], a law firm representing [COPYRIGHT OWNER]. You have been sued as a “John Doe” in the [NAME OF COURT], Civil Action Number: [FILL IN NUMBER], for alleged copyright infringement. The subpoena requires us to provide certain record information for users matched to Internet Protocol (“IP”) addresses used for unauthorized uploading or downloading of copyrighted material and identified by the record companies. We are attaching a copy of the subpoena to this letter.

Please note that your information has not yet been disclosed, but will be disclosed on [DATE AT LEAST 10 BUSINESS DAYS OR TWO CALENDAR WEEKS FROM DATE OF LETTER] if you do not formally challenge the subpoena. We are informing you of this subpoena in accordance with the Family Education Rights and Privacy Act (FERPA). While the plaintiffs have provided the Court with enough information to obtain a subpoena to identify you, the Court has not yet determined whether you are liable for infringement. You can challenge the subpoena in Court. You have until the close of business on [DAY BEFORE DATE OF RELEASE] to file a motion to quash or vacate the subpoena. If you file a motion to quash the subpoena, your identity will not be disclosed to the firm that sent the subpoena until the motion is resolved. If we do not receive notice from you or your attorney that you have a pending motion to quash the subpoena by the close of business on [DAY BEFORE DATE OF RELEASE], we will comply with the subpoena and send your identification information.

Please note that [COLLEGE NAME] cannot provide you with legal advice, and we strongly encourage you to consider seeking legal counsel or contacting your personal attorney before proceeding. The resource list attached to this letter (seeSection F, Question 21) may assist you in locating an attorney to represent you in this matter and lists other resources to help you determine how to respond to the subpoena.

A note of caution that should not be seen as constituting legal advice: although it may be tempting to erase or destroy files from your computer at this time, doing so may be a violation of a court order and may result in additional, and potentially severe, consequences. We recommend that you consult an attorney before taking any action to modify or delete files.

Sincerely,

E. Specific Responsibilities of DMCA Designated Agents vis-a-vis the Higher Education Opportunities Act

18. What (other) responsibilities does my institution have under the HEOA?

The Higher Education Opportunity Act includes two sections: a “notification” requirement and a “written plan” requirement that affect peer-to-peer file sharing.

Notifications
P2P notification will accompany the many other notifications printed (or digitally created) annually in a student handbook or similar document. It consists of three parts:

• a statement that unauthorized distribution of copyrighted material may bring civil and criminal penalties,
• a summary of the penalties for violating copyright law, and
• a description of the college’s specific policies.

Written Plan
If your college does not have a written plan to handle file sharing, the HEOA regulations require your college to draft one. The regulations state that these plans do not need to be all encompassing or interfere with your institution’s educational or research business practices. Any written plan must apply to all users of an institution’s network (including faculty, staff, contractors, and guests), not simply to student users. The plan must include:

• Education: The written plans must include an educational component. This “could include any additional information and approaches determined by the institution to contribute to the effectiveness of the plan, such as including pertinent information in student handbooks, honor codes, and codes of conduct in addition to e-mail and/or paper disclosures.” (See Department of Education General and Non-Loan Programmatic Issues; Proposed Rule, 74 Fed. Reg. 42380, 42391 [Aug. 21, 2009] [to be codified at 34 CFR Parts 600, 668, 675 et al.]).
• Responding to Unauthorized Distribution of Copyrighted Material: The written plan must include procedures for handling unauthorized distribution of material, including the use of your institution’s student disciplinary process. The regulations do not require that the institution actively monitor networks or seek out students to discipline. However, when the issue is brought to the attention of the institution—typically by means of a valid DMCA notice—the institutionmust have written procedures for handling the matter; this is usually accomplished by removing the student from the network, at least temporarily, asking them to remove the offending file from their computer or stop sharing that file, and potentially using the college disciplinary process.
• Technology-based Deterrents: The institution’s written plan must include the use of one or more technology-based deterrents. Institutions are offered several options for such deterrents, and the regulations state plainly that they do not favor one technology over another (See Department of Education General and Non-Loan Programmatic Issues; Final Rule, 74 Fed. Reg. 55902, 55926 [Oct. 29, 2009 [to be codified at 34 CFR Parts 600, 668, 675 et al.] [PDF]). Some technological options are hardware and software blocking packages, aggressive manual (or automatic) processing of DMCA notices, or dialing down bandwidth and packet shaping. Each of the above-referenced methods interacts at a different level with network operations. The feasibility of implementing each method will vary from institution to institution. Some texamples of technology-based deterrents are:
• • Packet Shaping: Packet shaping works to “shape” the speed of data over the institution’s network. These technologies classify, analyze, and manage the bandwidth, giving priority to certain types of data (such as e-mail), while de-prioritizing other types of data (such as shared files).
  • Content Filters: Content filters in the form of hardware and software solutions are generally considered the most intrusive and costly of the technology-based deterrent options. These filters are placed directly on the network and scan all network traffic seeking matches to the digital “fingerprints” stored in the device. Files that are a match to these fingerprints are blocked.
  • Low-tech Options: Accepting and responding to DMCA notices.
• Legal Alternatives for Downloading Copyrighted Material: The regulations also require that institutions periodically review the current state of legal alternatives for downloading or otherwise acquiring copyrighted material and publish that review on a college website or otherwise distribute that information to students. EDUCAUSE makes a list of known legal file sharing alternatives available to the higher education community. In addition to publishing the list of legal alternatives, the regulations require that institutions also offer legal alternatives for downloading or otherwise acquiring copyrighted content, “to the extent practicable” (see Department of Education General and Non-Loan Programmatic Issues; Final Rule, 74 Fed. Reg. 55902, 55910 [Oct. 29, 2009] [to be codified at 34 CFR Parts 600, 668, 675 et al.] [PDF]).
• Periodic Review of Written Plan: Finally, the written plan must include language that requires periodic review of said plan to determine its continuing effectiveness. The proposed regulation to the HEOA stated that “[i]t would be left to each institution to determine what relevant assessment criteria are,” although nothing in the language of the proposed or final regulations defines how long “periodic” is (the final regulation did not provide further guidance). An annual review of the college’s plan prior to the annual publication and in consideration of changes in the technologies and student habits and behaviors would seem to be reasonable.

EDUCAUSE maintains a list of “role model campuses” and their plans, representing many different types of institutions and approaches to compliance with these HEOA P2P provisions.

More information can be found in Section G, Questions 23-24.

F. Other common questions

19. What if my campus outsources our IT infrastructure? Does the DMCA still apply to me?

Yes. However, anecdotally, institutions that have outsourced their IT infrastructure, particularly in the residence halls, have found that they no longer receive DMCA notices.

20. A student has come to my office upset about being caught file sharing. What should I do?

Each institution’s practice is different. This is often an area where a team approach between student affairs and IT works best. You can explain to the student the practical information laid out in this document, as well as the potential consequences (both institutionally and in the courts) to sharing copyrighted files. Also, keep in mind that this is a college student not (likely) a hardened criminal, who may have made this mistake accidentally or because they were not informed. Many of today’s college students have grown up in a world where file sharing was “always” possible. Take the opportunity to educate such students in a constructive manner.

21. What resources are available to share with students about file sharing?

EDUCAUSE’s Legal Sources of Online Content offers information about legal alternatives to unauthorized downloading.

In addition, the following list is provided to assist you in identifying your legal options and locating an attorney. Inclusion on this list is not an endorsement of any particular organization.

The organizations listed below provide guidance on how to find an attorney. The second listing provides referrals for local attorneys.

• American Bar Association
  http://www.abanet.org/legalservices/findlegalhelp/main.cfm?id=NY
• Your State’s Bar Association
  “Google” [your state] and “bar association”

The organizations listed below have appeared in other courts to attempt to protect what they believe to be the due process and First Amendment rights of John Doe defendants. These organizations are prepared to help you consider your legal options.

• Subpoena Defense Alliance
  http://www.subpoenadefense.org/
• American Civil Liberties Union
  http://www.aclu.org/
• Electronic Frontier Foundation
  http://www.eff.org/
  454 Shotwell St.
  San Francisco, CA 94110-1914
  Referral Coordinator Phone: 415-436-9333, Ext. 111
• Recording Industry vs. People Blog
  http://recordingindustryvspeople.blogspot.com/2007/01/directory-of-lawyers-defending-riaa.html

G. Resources for the Designated Agent

22. Where can I read the DMCA?

You can see the full text of the DCMA at http://www.copyright.gov/legislation/pl105-304.pdf. The U.S. Copyright Office also provides a nice summary oftheDMCA.

23. What other resources can you suggest?

In addition to the resources cited in the FAQ above, the following sources provide you with further information.

1. The University of California Guidelines for Compliance with the Online Service Provider Provisions of the DMCA.
2. EDUCAUSE resource pages on the DMCA, P2PFileSharingand HEOA.
3. Joseph Storch and Heidi Wachs, “A Legal Matter: Peer-to-Peer File Sharing, the Digital Millennium Copyright Act, and the Higher Education Opportunity Act: How Congress and the Entertainment Industry Missed an Opportunity to Stem Copyright Infringement,” Alb.L.Rev. 74 (2011): 313-360. Available at http://www.albanylawreview.org/article.php?id=358.
4. Joseph Storch and Heidi Wachs, “Peer-to-Peer File Sharing Requirement of the Higher Education Opportunity Act” (NACUANotes: National Association of College and University Attorneys 8.11 [July 22, 2010]). NACUANotes is available to members of NACUA and their institutions.
5. Kent Wada, “Illegal File Sharing 101” (EDUCAUSE Quarterly31.4 [Oct.–Dec. 2008]). Available at http://www.educause.edu/EDUCAUSE+Quarterly/EDUCAUSEQuarterlyMagazineVolum/IllegalFileSharing101/163441

H. On Squishiness

24. Why can’t anyone tell me what vague words like “expeditious,” “reasonable,” and “only as long as your business purposes require” really mean?

You already know the answer: there is no one answer. What makes sense in one environment may not in another. Generally speaking, you should articulate what you believe achieves good-faith due diligence and that you feel good about standing behind the line of reasoning you took to get there. Someone could disagree with your approach, but that’s always true.

For example, in retaining IP logs, what are your business purposes? You are likely already keeping such logs in order to identify systems on the network for security reasons. Unless your retention time is near either extreme of keeping no logs at all or keeping them forever, whatever you already do should be reasonable for DMCA purposes, as well. A more detailed analysis would be to think through the balance of factors involved, such as due diligence in being able to comply with laws or regulation, ability to maintain network reliability and integrity, and protecting privacy.

About the Authors

Joseph Storch is an Associate Counsel at the Office of General Counsel, State University of New York. He is a graduate of the State University of New York at Oswego and Cornell Law School.

Heidi Wachs is the Director of IT Policy, Privacy Officer, and DMCA Agent at Georgetown University. She is a graduate of Lehigh University and the Benjamin N. Cardozo School of Law.

Kent Wada is Director, Strategic IT and Privacy Policy, UCLA and was UCLA’s founding Designated Agent.

The text of this FAQ is licensed under the CreativeCommonsAttribution-NonCommercial-NoDerivs3.0UnportedLicense.