Are universities protecting students from the RIAA?

As I wrote earlier this week, the Recording Industry Association of America has now expanded its campaign against illicit file-sharing to students at George Washington University.

One thing I noticed when reading through the court documents is how sluggish the RIAA's attorneys and its MediaSentry contractor have been in filing these lawsuits. Even though the complaint was filed on September 19, this excerpt lists IP addresses in use as long ago as February:

Doe # 1 IP Address:  128.164.100.11 2007-02-02 05:59:17 EST 
Doe # 2 IP Address:  128.164.100.11 2007-03-05 04:29:42 EST 
Doe # 3 IP Address:  128.164.100.158 2007-04-14 16:57:39 EDT 
Doe # 4 IP Address:  128.164.100.22 2007-03-26 02:02:52 EDT 
Doe # 5 IP Address:  128.164.100.72 2007-05-10 00:24:36 EDT 

If GWU has deleted its logs of who was using what IP address back then, the RIAA is going to be out of luck. So this becomes an important question: how long do universities keep logs showing who's been assigned a particular IP address? And why won't they say what the duration is?

"We have not systematically surveyed our members regarding their data retention practices, especially IP addresses," Rodney Petersen, Educause's government relations officer, told me in e-mail. "Anecdotally, our members have reported varying retention practices--ranging from keeping them for as little time as necessary, usually a few days, for internal security purposes to keeping them indefinitely. There is little uniformity in practice based upon our informal inquiries." Educause is, of course, a nonprofit group that represents higher education institutions and oversees the .edu domain.

The RIAA's lawsuit against GWU students in Washington, D.C., is not an outlier. The RIAA sued 21 "John Does" at Boston University on May 2. The alleged infringing activity in that case goes back to January 15, meaning the RIAA waited nearly four months.

Now, there's no legal obligation for colleges or universities to keep records of temporary IP address assignment, assuming addresses are allocated on demand through a protocol like DHCP. (They also can be allocated semi-permanently based on geographic location such as residence hall or campus office.)

"Georgetown University uses DHCP to assign IP addresses but in order to protect the integrity of our computer security systems we do not release information about length of storage," Georgetown spokeswoman Julie Green Bataille told me on Wednesday. For its part, GWU didn't reply at all.

The reason I know there's no legal obligation is that I spent much of the last three years writing about precisely this topic: lobbying Congress to enact mandatory IP address logging was a favorite hobby of former attorney general Alberto Gonzales. Even though some companies like Comcast decided to extend their logging policy to six months, Gonzales still resigned without getting what he wanted.

Universities may want to keep longterm logs of IP addresses assigned in hopes of discouraging file-sharing. Multi-month logs may help identify network misuse. On the other hand, schools may try to protect their students' privacy by keeping logs for only a few days (and then may not want to publicize it for fear of being publicly criticized by the RIAA or Congress for being "soft on piracy").

While schools have the right to set whatever policies they want--in a pro-copyright or pro-privacy direction--they should at least be public about it. That would let students, faculty, and staff debate the topic in the open rather than let rules be set in private by attorneys or administrators who tend to be far too risk-averse. It would also, I suppose, let students who are wavering between one school and another decide whether they'd rather attend a school that has chosen copyright as a paramount value, or one that has embraced privacy instead.

(If you know more details about a particular university's data retention policy, please post them below...)

[Matthias E]

New ways for Universities to attract students

Will we see a new form of advertising from the Universities and Colleges in the US or maybe in the world?
A pro-private attitude of some Universities can lure over students to them.
Most Students like music. Some Students like challenges. Teenagers and Young adults are known to test bounderies.
Put everything together and you have a nightmare for the RIAA and a recipie for Universities and Colleges to increase their student count and their financial future.

[balonga]

freedom is always attractive

and the defense of privacy and human rights. Universities or anyplace where this ultra important things are defended will be attractive both for suns and parents.
RIAA like MS should be stopped bothering and/or suing people.
If they could not find a good marketing policy and a better self defense without invading everyone else they have no right to nothing.
First fact necessary to be respected is respect, go tell Gates, RIAA and their lawyers.

[CharlesRovira]

It cuts BOTH ways...

If the RIAA wants IP addresses, let them label the tunes with
- who the owner is, (you'd be surprised how many artists don't own their own songs, even when they wrote them,)
- what rights are available, (this "All Rights Reserved" crap simply doesn't work,) and
- what the right the end user actually has.

Keep a copy of the contracts in a CDDB-type accessible database.

[rcrusoe]

Universities only need to log what they choose

If a university, or business, chooses to dump their logs after a short period because they are no longer needed, then so what?

Why should they have to go to the expense to store, (backup, maintain, etc.) records just in case some business with a busted business plan wants to go trolling through their private data?

[Skylaw]

It's easy to get around the disposition of IP addresses

All the RIAA has to do is notify the university that a suit is about
to be filed and require that all documents potentially related to
the suit (in all forms, electronic or paper) must be preserved.
This is particularly easy if the university is named in the suit for
aiding or abetting the infringement, or that its employees will be
called as witnesses.

[zboot]

Read the story

The RIAA is waiting 4+ months before serving the schools with requests for information. If the school deletes such logs every 3 days, then no matter what data is preserved when they get the papers in September, any infringement that occurred in February cannot be traced.

Now, the wait period could be due to a lot of things so I'm not going to even try to speculate on that or suggest how the RIAA could get around this.

[ColdMast]

RIAA is out of control

their using tactics that should only be used against pedophiles,

and going after kids

the RIAA and its affiliates are only going to encourage file swappers to be more private, while facing potential consumer backlash or their spiteful business practices.

?And remember, where you have a concentration of power in a few hands, all too frequently men with the mentality of gangsters get control. History has proven that. All power corrupts; absolute power corrupts absolutely.?

- Lord Acton

[rpruett]

We're supposed to keep them??

I hate to admit it but I have no idea how long we keep a log of our stuents IP address. They are on a seperate network from the day-to-day business of the college so it just does not seem important. As most IT professionals in the academia world are "underpaid and overworked" if the RIAA were to come after this small private college there is really not much I could do for them (not that I really want to). I enjoy the latest and greatest technology as much as the next person but when it come to music I still rely on the good old radio.

[richto]

Well if they come asking

Well if they come asking, Im sure you will suddenly discover that your policy is that no logs at all are kept and you cant help them.

Unless you want your student sued by pigopolist record companies?

[Penguinisto]

Log whatever you like. It's your network.

Aside from Sarbanes-Oxley issues (which I suspect colleges are well clear of, qualification-wise, no?), any non-commercial entity which has users passing through it to the Internet is free to keep logs for whatever retention period they want.

Personally, if I were a college network, I wouldn't bother. The reasons are simple:

* most college networks are (still) staffed mostly by student volunteers - who happen to have access to the logs - who can (with a bit of work) alter them at any time. That makes them unreliable. We won't even have to touch on the traffic in 'off-the-books' login names that are created which track to, well... nobody.

* anything older than two weeks has no real benefits to outweigh the burden of disk space and backup tape.

* college networks are (still) notoriously insecure.

* What makes you so sure I'm John Doe #48, and not the guy who copied #48's login info from his freshman orientation kit, which he left sitting out in easy view on the desk next to mine? He's a Drama major anyway, bragging about having his own place off-campus, so he prolly won't ever use it...

* The most popular ISP in a college dorm building is an unsecured wireless one named "linksys".

I could go on, but I think y'all get the idea.

/P

[bobby_brady]

The CEO tard at Warner Brothers kids stole music

The **** should be in prison. After all, it's been proven that his kids STOLE MUSIC. Come-on you ****, practice what you preach, admit yourself to jail.

[WhittZ]

Records Management and the RIAA

I do not know if universities require SOX (Sarbanes-Oxley) compliance, if so, it is THE school's records management procedure that will dictate how long they maintain those records, or the law. The RIAA is NOT above the law (though they will never admit this), and have nothing to do with law... and have no say in any company's, private or public, records management.

The RIAA (along with the MPAA and similar thugs) will be going down. They are already losing market share to Apple, Real/Rapsody and the beloved indie labels and their continued gestapo practices shall only bring them further self-destruction and alienation with consumers. The world prays for that day they will be no more.

[richto]

LOL @ SOX

Of course they dont require Sarbanes Oxley compliance - thats the accounting standards that large US quoted pubic corporations have to follow. (And one of the many reasons why London is now the worlds leading equity market instead of New York!)

And even if they did, SOX doesnt cover DHCP lease records!

[rcardona2k]

What else will you be tracked by?

Students are tracked by Student ID swipes, SSNs, RFID sensors, and now IPs. What's next, will the public toilets (a shared resource) start keeping biological samples?

Stop the madness.

[balonga]

liberty is not for trade

you can not trade freedom for authoring rights.
Authoring rights can only be defended defending freedom and privacy at the same time.
All invading of privacy is against authors which will be the first to be persecuted by any Big Brother a country may suffer. Truly authors with real genious and authority know this.
Authors and everybody knows that if you do not respect -you ignore- others rights you can not defend yours. RIAA, MS and alike seem not to understand this easy facts, worse for them.
I hope the land of the free and the home of the brave do not surrender to them.

[likes2comment]

10 Day logs - We use webtrends for websites

The company I work for keeps server/website logs for 10 days. We use webtrends for website logging. Our logs run gigabytes, hence the 10 day limit and that's just to allow us to fix problems. All reporting on statistics comes from webtrends. No individual statistics, just group trends. F** the RIAA.