June 22, 2009, 11:08 AM — David Reis, director of IT security and policy at Thomas Jefferson University in Philadelphia, has been on what he calls a "nine-month journey" to figure out exactly how he's going to make sure his school doesn't break the law -- even though they were never in trouble in the first place.
Reis' headaches began at the end of last summer, just after President Bush signed into law the Higher Education Opportunity Act, the first reauthorization of the Higher Education Act since 1998. The act included several new provisions, but the one that has Reis and others on college campuses concerned is a new requirement that schools ensure they are doing all they can to combat illegal file sharing among students. The new rules, according to the wording contained in the legislation, requires institutions to develop plans to "effectively combat the unauthorized distribution of copyrighted material, including through the use of a variety of technology-based deterrents." Schools must also "to the extent practicable, offer alternatives to illegal downloading or peer-to-peer distribution of intellectual property." Any institute found to be non-compliant could lose federal funding.
The provision made its way through due to the heavy lobbying efforts of groups such as the Recording Industry Assocation of America and the Motion Picture Association of America. Until recently, the RIAA had been waging their fight to stop piracy among students by filing individual lawsuits against those accused of illegal file sharing. But recently the RIAA has said it has abandoned that strategy and will now focus efforts on working with Internet service providers to issue warnings to violators. They have also lauded this new provision in the HEOA.
But Reis said illegal file-sharing has never been a problem at Thomas Jefferson University and the requirement uses a broad brush to paint a picture that is inaccurate in many instances.
"We have not received one complaint about one student. Yet now we have to go out and incur the cost to solve a problem that we didn't really have," he said.
Reis estimates he will spend approximately $100,000 implementing new hardware and software in order to be in compliance with the regulation. But figuring out exactly what is needed is not easy. The HEOA is still in the negotiated rulemaking process, so the exact language and interpretation from the Department of Education is still forthcoming.
"Because the HEOA is in effect, campuses are under an obligation to make a good faith effort to comply with the law," according to Steve Worona, director of policy and networking programs with the non-profit organization EDUCAUSE, which supports higher education institution technologists. "But since the department hasn't issued any detailed regulations of what that means, campuses are pretty much on their own to figure out what that means."
Worona referenced a managers' report that was authored along with the legislation that defines the "technology-based deterrents." They include bandwidth shaping, traffic monitoring to identify the largest bandwidth users, a vigorous program of accepting and responding to Digital Millenium Copyright Act notices and a variety of commercial products designed to block or reduce legal file sharing. It's the fourth item on that list that Worona has heard concern about from many school IT officials. Using commercial products to block or reduce illegal file sharing is expensive. But the report states schools need to use some OR all of the technology-based deterrents listed, so the concern is misplaced, he said.
"Among the other three, it's our impression that most campuses are doing one or more of them already. For example, most EDUCAUSE surveys suggest most campuses are doing bandwidth shaping. I think 70 percent is the figure I have seen. We believe most campuses are already accepting and responding to DMCA notices. The legislation and regulation require that campuses employ one or more technology-based deterrents and that means one or more from those four. Two of which we believe campuses are already employing. We believe that most campuses will not find it onerous to comply with this legislation."
Indeed the provision has had little impact on security practice at the University of Delaware. UD, which has a student body of just under 20,000, generally receives very few DMCA notices, but the school has had policy and other file-sharing deterrents in place for some time, according to Scott Sweren, UD's information security officer.
"UD had procedures in place to respond to copyright violation notices prior to the act passing," said Sweren. "After reviewing the act, it was determined that UD's procedures met the HOEA 2008 Act's requirements. So we did not really need to do much to come into compliance."
But for Reis, the provision is what he termed a "significant change for higher education." Thomas Jefferson University is a science and medical school research facility with a much smaller student body than a large university.
"There seems to be a split. The very large state schools have already dealt with this issue because they've had to," said Reis. "Small schools haven't got a robust program in place because we have not encountered it before."
The bill was signed into law after Reis' 2009 budget was already in place, but getting a six-figure approval in 2010 to make the changes necessary was certainly no small request. Reis is looking at Audible Magic and Red Lambda, two very different technologies that both manage peer-to-peer file sharing, as possible investments to be in compliance.
"Tying actually capital and operating dollars to it in this economy to solve a problem we don't really have at our scale has been an issue," he said.