policy@edu
Will Colleges and Universities Become Cybercops?
Garret Sern, EDUCAUSE policy staff As colleges and universities seek to provide ubiquitous Internet access and other network services for their faculty and students, service provider liability comes to the forefront as a major technology policy topic. Your institution will likely be presented with a liability issue sometime soon, if it has not already.
In recent years some confusion has arisen about whether colleges and universities fall within the same category as commercial Internet Service Providers (ISPs). The precise answer to that question depends on the regulatory and legislative context. The line of analysis used by the Federal Communications Commission for ISPs is long and tortured and is influenced by a historical separation between enhanced service providers and telecommunication carriers (a model endangered somewhat by Internet Protocol telephony). Meanwhile Congress has for the most part defined ISPs very broadly. In general, colleges and universities appear likely to be swept in with other service providers in any legislation that seeks to affect ISPs.
Two recent congressional actions showcase how colleges and universities may find themselves either (1) receiving beneficial protections from liability or (2) being increasingly drawn into the legal morass of this new communications medium. Both pieces of legislation define the category of network service providers broadly: colleges and universities that provide Internet services appear to fall within the universe of ISPs affected by the legislation.
Service Provider Liability and the DMCA
Title II of the recently enacted Digital Millennium Copyright Act (DMCA) includes infringement liability exemptions for online service providers (OSPs). The definition of "online service provider" in the context of the OSP copyright liability is extremely broad: "a provider of online services or network access, or the operator of facilities therefor."
Specifically, the DMCA exempts a service provider from any legal liability for copyright infringement conducted by customers using its network as long as the service provider "does not have actual knowledge that the material or an activity using the material on the system or network is infringing" and, "upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material."
The new law and regulations do not require service providers to monitor their networks for infringing material. The law requires only that the providers have a contact person and a mechanism in place to comply with "takedown" requirements on receiving written notification -- from a copyright owner or the owner's authorized designated agent -- that copyright infringement has occurred.
The U.S. Copyright Office recently released a notice of public inquiry intended to solicit public comment on the current system and is expected to issue a ruling on permanent procedures for taking advantage of the liability protection provisions in Title II of the DMCA. In the interim, the Copyright Office requires service providers to take certain steps to be eligible for the liability exemptions contained in Title II of the DMCA. A service provider must designate an agent who will receive notifications of claimed infringement. This information must be supplied to the Copyright Office (along with a $20 fee) and must be posted on the service provider's Web site. The service provider must also develop and post a policy for terminating accounts of repeat offenders and must provide network users with information about copyright laws.
Given the DMCA's all-encompassing definition of "online service provider," one might have expected that educational institutions would be rushing to register with the Copyright Office in order to insulate themselves from lawsuits. However, this has not been the case. As of April 1999, roughly 272 colleges and universities had registered their service provider agents with the Copyright Office for notification of claims of infringement.
Members of the higher education community have voiced a number of concerns about this registration requirement. Does registering with the Copyright Office as a service provider stick a regulatory label on colleges and universities, opening them up to more regulations and possible taxation? In a university system, do individual campuses and schools need to register? What about potential privacy issues arising from the practice of terminating the violating faculty and student Internet accounts? Some state universities have also voiced concern that registering with the Copyright Office would void the current liability protections granted to public institutions.
Institutions that have registered or plan to register, or are concerned about registering, should keep in mind that these are only interim regulations. After studying public comments on this matter, the Copyright Office will issue final registration regulations (most likely requiring another fee). In the meantime, consult your local counsel if your institution is concerned about the collateral ramifications of registering with the Copyright Office as an ISP.
Deputizing Internet Providers
The somewhat passive designated role of service providers under the DMCA does not mean that future Internet legislation will follow similar lines. The recent reintroduction of legislation in Congress to render most forms of Internet gambling illegal may be the first of future Internet laws and regulations requiring service providers to take a more active role in assisting law enforcement.
The Internet Gambling Prohibition Act of 1999 requires service providers to assist law enforcement within the realm of what is "technically and economically feasible." This not only would entail terminating accounts of subscribers found in violation of the act but also would require blocking access to Web sites or taking other measures designated by a court order.
The National Collegiate Athletic Association expressed its support for this bill at a Senate hearing last March. Most of the higher education community, however, is concerned that this latest congressional proposal is far too vague in setting forth what is "reasonably" expected of service providers.
As Congress attempts to craft laws in response to social dilemmas wrought by rapidly changing technologies, it will likely continue to use sweeping and somewhat vague language. Unless that elusive "technological fix" is produced to render such laws unnecessary, service providers -- including colleges and universities -- will likely be expected to play some role in hindering illegal activities conducted on the Internet. The higher education community will not be the only population to benefit if Congress is well educated about the technical and practical boundaries faced by ISPs when they are expected to help enforce the law.
