RIAA Sues MIT, Seeks Name of Music SharerBy Keith J. Winstein
NEWS AND FEATURES DIRECTOR
The Recording Industry Association of America sued MIT on Friday, seeking to require the Institute to identify a network user alleged to have illegally offered hundreds of copyrighted music recordings for download on the Internet.
The suit against MIT, and three similar suits against Boston College, came after the two universities balked on procedural grounds at the RIAA’s formal requests under the 1998 federal Digital Millennium Copyright Act, or DMCA, to identify the network users.
The RIAA, a trade group of major record labels, has sent out over 900 of the formal requests, known as section 512 subpoenas, to Internet service providers in the last month as part of a campaign to sue those who illegally trade recordings using the popular KaZaA and Grokster networks.
The aggressive practices reflect a change in tactics for the RIAA, which has not previously sued individual users for trading music recordings online. “We’re going to sue anyone who is infringing our copyrights,” said Amy Weiss, an RIAA spokeswoman. “We’re going to sue anybody who is file trading.”
Under the copyright act, users sued in such a case could be liable for hundreds of thousands of dollars in damages.
RIAA requests user of TDC IP
The RIAA in early July ordered MIT to reveal the name of the user who, as “crazyface,” “was offering hundreds of copyrighted works to the world-at-large” on the KaZaA system at 9:29 a.m. on June 27 from the Internet Protocol address 220.127.116.11, the RIAA wrote in court papers.
The address, assigned by MIT to the Theta Delta Chi fraternity, is assigned to individual users automatically and dynamically by a computer run by the fraternity, said James D. Bruce, the vice president for information systems, so MIT could not initially identify the user or even the computer’s owner.
But MIT decided against telling the RIAA that it is unable to identify the user because the fraternity, not MIT, has assigned the address to an individual user, Bruce said.
Instead, MIT asked TDC to provide it with logs from the computer, known as a DHCP server, that had assigned the address to a particular computer.
The DMCA requires Internet service providers to identify a computer’s user based on such a request “to the extent such information is available to the service provider.”
“The conversation that we had with TDC was, ‘If you provide us the logs, then we can act legitimately,’” Bruce said.
“‘If you do not provide us the logs, then ... once we get a legitimate subpoena the only recourse we have is to point to you,’” Bruce recalled MIT saying to TDC.
Under those circumstances, “they made the choice to give us the logs,” Bruce said.
It is unclear whether those logs go back far enough to identify the person whose computer held the disputed IP address on June 27.
TDC’s officers did not return repeated requests for comment.
MIT to require FSILGs to give logs
As a result of the matter, MIT will revise its agreements with fraternities, sororities, and independent living groups -- for whom MIT provides free high-speed Internet access -- “to say that they will need to provide us the logs on reasonable demand,” Bruce said.
MIT is also “investigating the creation of explicit policies and agreements” to govern whether FSILGs should be able to run their own DHCP servers and assign their own IP addresses in the future, and considering establishing “clearly defined consequences” for failing to keep records up-to-date of what users control what addresses, wrote Timothy J. McGovern, a senior project manager for Information Systems. “The details are still being worked out,” he wrote.
The changes and proposed changes to make MIT able to better identify users of its IP addresses met with some concern. “It seems unlikely that these changes will benefit MIT in its educational or research mission, or significantly improve the MIT computing infrastructure,” wrote Richard S. Tibbetts G, an officer of the Student Information Processing Board.
“I believe that the decision of whether we should change the fundamental architecture of our network so we can always know who’s using it, which may, by the way, add significant burden, ... that’s a decision the community has to make,” said Jeffrey I. Schiller ’79, MIT’s network manager. “I think that’s a community decision and should be made that way,” he said.
MIT, RIAA sue each other
MIT has not yet responded to the RIAA subpoena, delivered in early July, because MIT believes the subpoena was issued through the wrong court and did not give MIT enough time to inform the network user.
As part of the DMCA’s subpoena procedure, a copyright owner must obtain the signature of a clerk of a federal district court. MIT and Boston College have asserted in motions filed in Boston against the RIAA that the court whose clerk signed the RIAA’s subpoenas -- the federal district court in Washington, D.C. -- did not have jurisdiction over the schools in Massachusetts, making the subpoenas invalid.
Because the federal Family Education Rights and Privacy Act, known as FERPA, requires that a school only release student “education records” in response to a “lawfully issued subpoena,” MIT and BC argue they are barred from voluntarily releasing a student’s name in response to subpoenas they say are invalid, and that any subpoena must give the schools enough time -- a few days -- to notify a student that their records will be disclosed and give the student a chance to contest the release of information.
In a response to the MIT and BC motions in Boston, and in four separate lawsuits filed in Washington against the schools, the RIAA argues that the DMCA grants the Washington court jurisdiction to issue a subpoena to the schools, that students have had plenty of time to be notified, and that the names of students with particular IP addresses are not “education records” under FERPA.
MIT’s argument that the names of students corresponding to IP addresses may constitute “education records” appears inconsistent with Information Systems’ practice, which is to allow anyone at MIT to see the owner of a dormitory IP address through the “stella” tool on Athena.
“We probably should look at that,” Bruce said. “No one has raised that question.”
Expert says cases, DMCA unclear
Neither side’s arguments are obviously compelling, said Michael J. Remington, a Washington attorney who was chief counsel to the intellectual property subcommittee of the House of Representatives judiciary committee for most of the 1980s.
“There seem to be good issues on both sides,” he said. Congress, in enacting the DMCA in 1998, did not clearly specify whether the RIAA’s interpretation -- that any court may sign a subpoena -- or MIT’s interpretation -- that the RIAA must go to a service provider’s local court -- is correct, he said.
“If Congress doesn’t pass laws with enough clarity,” he said, these issues have to be solved by litigation.
“What bothers me about decision-making by litigation is that it takes lots of money, it’s fairly slow, it’s subject to appeal, and it doesn’t create nationwide uniformity,” he said.
MIT promises to comply
MIT has emphasized that it will release the name of the user -- if MIT in fact has the name of the user -- if the RIAA sends MIT a subpoena signed by the clerk of the federal district court in Boston giving MIT enough time to respond.
“MIT believes in protecting the privacy of students, and we don’t yield information willy-nilly, but the bottom line is ... we can’t necessarily protect the identities of our students when they engage in illegal file sharing,” Schiller said.
“Nobody is above the law, whether they’re a student or a grandparent,” Weiss, the RIAA spokeswoman, said. “If they’re breaking the law, they’re breaking the law.”
“My advice to people who are using KaZaA for sharing copyrighted files is, ‘Now would be a good time to stop,’” Schiller said.