Keep It Legal

With the Recording Industry Association of America (RIAA) sending out notices and suing students over illegal downloading and sharing of copyrighted files, university information technology departments have to take notice. Even Congress is getting into the act by holding hearings and considering legislation.

Higher education institutions are caught between the RIAA trying to protect copyrighted material and students who illegally download and share files, intentionally or unintentionally.

The litigation and government intervention pose a challenge: How does IT keep the education process open without ignoring possible illegal activity among students using the institution’s network?

Acknowledging the problem is a good start, according to university IT leaders. Institutions need to establish a policy for dealing with illegal downloads and file sharing — if they don’t already have one. That policy should take into consideration tools to limit bandwidth and offer legal file downloads, punishment for students who defy the policy, and mechanisms for raising awareness of the dangers of and alternatives to illegal downloads.

Timothy Chester, CIO of Pepperdine University in Malibu, Calif., one of 58 colleges sent pre-litigation letters by the RIAA in early August, says the students have to know the institutions are serious about the issue. “Illegal purposes can’t be allowed, even if it’s just illegal file sharing,” he says. “We’ve adopted software and hardware on the network that will essentially look at the protocol of traffic and not the content. This will reduce bandwidth for common file-sharing implications. You take all of the BitTorrent traffic and put it in a segment with little bandwidth. You’re clearly telling the students what they can’t do on the network. Students hate slow Internet traffic, so that’s already an incentive not to illegally download.”

How Much Tolerance?

Before you can enforce a policy, you must come up with one. Universities have differed here, with some banning peer-to-peer file sharing completely and others refusing to even forward the RIAA’s notices to students. While those decisions are often made at a level above the information technology staff, IT does have a large say in determining what students can and can’t download. But several CIOs suggest letting students get involved in the process.

“The policy needs to be inclusive of people you are supporting — students and faculty should be seated at the table and have to be part of the decision-making process with end users,” Pepperdine’s Chester says. “The questions that need to be asked are what type of level of service you provide, how much bandwidth do you have at your campus and how do you handle authentication on the network, and mix it in with the legal exposure. You need a transparent process at this point.”

At Olin College in Needham, Mass., students serve as the judge and jury, according to CIO Joanne Kossuth. “We have student governance organizations with two students from each class [year] meeting once a month discussing these issues, because we do have an honor code for students,” she says. “It’s student-run, and they can report each other if they’re doing something wrong.

“If someone is reported, they then have a hearing, and students administer consequences — we don’t spare downloading from academic infractions, which makes it better because the students need to take responsibility. Also this way we’re not spending our time being the police, something that I don’t think we’re the most effective at being.”

Still, universities must be mindful of U.S. laws, not just those handed down by students and campus administrators. Paul Gandel, vice president for information technology and CIO at Syracuse (N.Y.) University, says his institution is prepared to come down hard on students — especially repeat offenders.

“Offenders at our school lose many of their privileges on their network for repeat offenses, not just for music downloading but for a number of things,” Gandel says. “This is our standard operating procedure: If you violate the computer use, we have progressive disciplinary action, which leads to being pulled off the network. We’ve never had expulsion from the university, but I assume like most offenses, we take all U.S. laws very seriously and would be willing to take it to that level.”

Limit Bandwidth

Universities have tools that can at least limit the damage, if not stop illegal downloads completely.

Olin College uses Packeteer PacketShaper appliances to block or limit bandwidth on specific files. Kossuth says Olin does not block file sharing completely because “we have seeing and hearing courses where they need to have MP3s and AVIs, so we can’t just completely block them.”

She says Olin has all internal Internet protocol addresses, which helps limit and monitor student downloads.

“Things have to go through gateways so our students are not out there downloading huge amounts, and our students have servers to get public IP,” she says. “They must sign off on different policies so we don’t have a student with publicly accessible servers that we’re not aware of.”

Universities are also turning to legal download sites, such as Napster and Ruckus, that let students download music for a fee — paid by either the school or the students. Ruckus offers more than 3 million tracks, licensed from record labels, that students can legally download.

Educate Students

This might seem like an oversimplification, but educating students also goes a long way in dealing with illegal downloads. Students might not realize what they are doing is illegal or know the difference between using the legal download sites and illegal ones — especially if they are not paying for the legal sites.

“We have new student orientations,” Chester says. “At my last institution [Texas A&M University], when there was a case of illegal downloading, one of our senior staff would have a one-on-one conversation with the student. It was not a discipline issue, but a time to educate.

“We can talk to them about how students’ illegal downloading has penalized everyone and about the drain on the network. I’m a big iTunes user myself, and I’ve bought a couple hundred dollars’ worth of songs. You can show students that you’re not asking them to do anything you’re not willing to do.”

A school cannot assume that students understand even basic technology principles, Syracuse’s Gandel says.

“Many students have legal downloads, but because of embedded software they may be serving up music that they bought legally to others without even knowing it,” he says. “Even though they own the copyright, they don’t know the software is using their computer as a server. We need to also tell them what they can make a copy of legally and what constitutes fair use. I believe our notifications have gone down because we’ve made this effort.”

Kossuth says her school’s educational program, dubbed “Netiquette,” partly focuses on having alumni come in and talk to students. “Somehow when it comes out of [alumni] mouths instead of ours, students tend to believe it,” she says.

You can also use your Web site to focus on copyright issues. For example, Georgetown University in Washington, D.C., devotes a page of its site to include educational outlets such as musicunited.org, a combined effort of music industry organizations dedicated to informing students about copyright law.

Talk to a Lawyer

No matter what universities do, the RIAA notices just keep coming. And IT staff must realize this issue cannot be solved by technology alone.

“We’re looking through the notices we get and discuss[ing] with general counsel about what policy should be,” Chester says. “[The RIAA] changed tactics last year. Now they want institutions to forward notices to students, and we don’t know whether it will work. The RIAA can afford an army of lawyers to continue sending these things — and when students get them, a fair number are settling.”

Chester says Pepperdine gets only one or two notices a month, but he foresees the situation getting out of hand eventually unless the music industry decides it’s making a mistake by treating universities as Internet service providers. “You can’t hold us accountable like [ISPs], because we’re not resourced like that business. For them, it’s the cost of doing business. For us, it’s costing our students money that could be put into a better education.”