Despite the efforts of the higher education community, the final version of the HEOA reauthorization requires a college or university to develop a plan to combat digital copyright infringement, including the use of one or more “technology-based deterrents”.23 The regulations outline four specific types of technical deterrents: i) Bandwidth shaping ii) Traffic monitoring iii) Accepting and responding to Digital Millennium Copyright Act (DMCA) notices and iv) Commercial products designed to reduce or block illegal file sharing.24 Schools who fail to comply with these provisions risk incurring steep fines and losing federal funding for students (Wada 2008). The HEOA was passed July 31, 2008 and signed into law on August 14 of that year.
DPI Vendors Develop HEOA Compliant Solutions
The result of this mandate has been a widespread adoption of technological solutions by higher education institutions to specifically monitor P2P file-sharing activity on campuses, including in dorm areas, where such activity most often occurs. In fact, a niche market of DPI-based solutions has developed, with vendors designing and marketing packages specifically to colleges and universities. In October 2010, for example, Procera released PacketLogic Smart Campus, a solution with DPI capabilities that the company bills as a turnkey network and traffic management solution specifically for higher education institutions.25 The product was first demonstrated at the Educause 2010 conference. Audible Magic CopySense is another DPI-based solution which has become fairly popular with colleges and universities. Audible Magic positions CopySense as a solution that helps institutions comply with the HEOA and has a built-in graduated response system.26
Heterogeneous Implementation of HEOA-Compliant Plans
On May 18, 2011 Educause held a webinar and online discussion with members of the legal counsel and IT departments from universities around the country. The record shows great variance in both the policies used to address illegal P2P file sharing and the scope of implementation (A P2P, DMCA, & HEOA FAQ 2011). Several key findings about the adoption of HEOA requirements emerged from this dialogue. Colleges and universities have increasingly been receiving pre-litigation settlement letters attached to DMCA notices. This has been deemed as a deceptive effort on the part of copyright holders to easily get money from suspected infringers. Universities are not required by law to forward these letters to their students. The general sentiment of higher education administration is that while “technology-based deterrents” are required, this provision is subject to substantial interpretation. For instance, responding to DMCA notices falls under this category and would not require a school to purchase additional technical solutions. Universities are given a significant amount of autonomy with regards to the design of their plans and it is up to each school to review its plan on a regular basis for effectiveness.
Heidi Wachs, Director of IT Policy and Privacy Officer at Georgetown University advised other universities that they should be cautious of implementing content filtering tools too broadly, as this could cause them to lose their safe harbor protections. “The use of content filters inverts the DMCA’s burden on rights holders and shifts it to ISPs” (Storch and Wachs 2011). Joseph Storch, Associate Counsel at the State University of New York concurred: “Active monitoring is not only not required by the HEOA, but it may make you lose your safe harbor – be very, very careful before you implement one of those systems” (A P2P, DMCA, & HEOA FAQ 2011).
Individual Example: Syracuse University
The costs of responding to DMCA notices and the legal risks to students and the university led Syracuse University’s Information Technology and Services department to purchase a pair of Palo Alto PA-4060 firewalls recently. With few exceptions, the University blocks all P2P protocols within campus borders. The Palo Alto firewalls were chosen because of their packet-shaping and application inspection capabilities. They detect and block most known P2P protocols. Note that the system targets the use of P2P applications and does not detect copyrighted files per se. It is a pre-emptive measure that indiscriminately blocks certain applications.
Overall, the implementation of these firewalls has dramatically reduced the number of DMCA notices received by the University. The importance of these technological measures becomes apparent in considering a recent hardware failure of one of the two Palo Alto firewalls in October 2010. In one week the Director of Information Security at Syracuse University suddenly received between 30-40 DMCA notices.27 When the firewalls are fully functioning, the number of DMCA notices per week is basically zero.
Responding to a DMCA notice can be arduous. When a DMCA notice is received, the Director of Information Security must look through the University’s web logs to find the student ID matching the IP address and time stamp of the notification. Once this information is found, the University policy follows a graduated response approach with the following steps:
Step 1: The machine of the alleged copyright infringer is quarantined and he/she is notified that they may be involved in illegal activity. They are directed to read SU’s Computing and Electronic Communications policy. When they respond their computer is turned back on.
Step 2: The student must meet with the Director of Information Security for counseling.
Step 3: The machine is quarantined from the network and the infringer, if a student, is referred to an upper level Dean or another member of upper level administration for further disciplinary action.
In the case of SU, only one case has ever progressed to Step 2, and none have reached the third stage. Recognizing the significant amount of information that technological measures such as DPI can collect, colleges and universities claim that they go to great lengths to ensure that personal information of individuals/alleged infringers are never disclosed to copyright holders directly. In this respect, there is primarily only a one-way dialogue between copyright holders and higher education institutions.
The Syracuse University IT department is now considering using the Palo Alto firewalls for other purposes. They may replace access control lists (ACLs), a way of blocking common security threats that involves costly and mistake-prone command line input, with the Palo Alto firewalls. The firewall might also be configured to start investigating web traffic for malware. In both cases, however, they are very concerned about over-blocking.
Analysis and Conclusion
Attempts to apply DPI to copyright enforcement have generated extensive public policy debate. In both Europe and America, the prospect of its use has mobilized social and economic interest groups around Internet governance issues and resulted in some institutional change. The most far-reaching debate took place in Europe, where the possibility of using DPI as part of a mandatory graduated response system applicable to all ISPs was, for a time, a live option. The stronger US laws immunizing ISPs seem to have kept the American debate confined to the education sector.
The surveillance potential of DPI technology facilitated a major reassessment of two of the three key Internet governance principles cited in the introduction: intermediary immunity and the confidentiality of communications. The knowledge among well-resourced actors that DPI was an option destabilized earlier policy equilibriums. It created a fork in the road, where the established principles had to be reaffirmed, or revised, or discarded. The departure from the end to end principle that DPI seems to enable, on the other hand, was not a strongly contested issue in this case.
On the whole, attempts to apply DPI to copyright policing did not realize the more radically disruptive potential of the technology. A radical implementation would make the Internet access network itself responsible for surveillance, detection, notification and enforcement. Copyright holders did not succeed in getting a true “inside the network” implementation of DPI, except in some universities. Their vision of how the new technical capability could be used foundered in the face of challenges based on user and ISP resistance. As predicted, network operators in both Europe and the U.S. strongly opposed adopting the technology to benefit a third party (copyright holders). Both commercial ISPs and university networks rejected the imposition of copyright policing – even when both were willing to adopt DPI for other reasons that directly served their own interests. The significance of public interest groups in the US and Europe should also be acknowledged. They successfully campaigned against the use of DPI and graduated response, invoking privacy and the rights to Internet access, free expression and due process.
In both cases there were attempts to form private stakeholder discussion groups to arrive at a negotiated resolution. In both cases they failed. When implementation of a new technology involves a zero sum game over the distribution of costs and benefits, such negotiations are unlikely to succeed. Although the UK and France did generate MoUs between ISPs and rights holders, agreements were mediated and directed by governments. In both cases the end result was hard legislation anyway (the HADOPI law and UK Digital Economy Act). The European Stakeholder Dialogue Group produced no results whatsoever, and the American JCHEEC, while thoroughly educating the parties about the technical options and the views and needs of the other parties, produced modest modifications of practice. And those results did not prevent later recriminations and a resort to legislation by the copyright interests.
While falling short of a more disruptive adaptation to DPI, one can see incremental change in these cases that could, when combined with developments in other DPI use cases, lay the groundwork for more transformative outcomes. Commercial ISPs already widely use DPI for intrusion detection and prevention, and often use it to limit or block P2P file-sharing for bandwidth conservation. Similarly, even as they resist impositions, universities may choose to block file-sharing protocols to conserve bandwidth or minimize the transaction costs associated with responding to DMCA notice and takedown requirements. A combination of negotiations and legislative pressure did succeed in getting many universities to adopt graduated response policies and educational programs, and sometimes even DPI-based technical measures. Legislation that threatened higher education funding sources helped to create an incentive structure that pushed many universities into further use of DPI.
Despite the political resistance and the limitations placed on its use, DPI is spreading. But so far it is deployed more as a tool of network operators’ policy than as a direct tool of public policy. As such, the deployments of DPI reflect the individualized concerns, interests and constraints of the network operators. In the copyright arena, law and public policy set the parameters of ISP responsibilities, such as notice and takedown requirements. But for the most part, the operators still decide how DPI fits into those requirements, if at all. However, the more responsibility for regulation and control of internet use that is placed upon ISPs, the stronger their incentives to adopt some kind of user surveillance. Furthermore, once it is installed DPI can absorb and integrate some additional functions beyond the ones that led to its initial installation.
Allot Communications. 2007. Network visibility and service management utilizing deep packet inspection (DPI) technology.
Artan, N. S. and H. J. Chao. 2007. Design and analysis of a multipacket signature detection system. International Journal of Security and Networks 2(1-2): 122-136.
Bach, D. 2004. The Double Punch of Law and Technology: Fighting Music Piracy or Remaking Copyright in a Digital Age?. Business and Politics 6(2).
Bendrath, R. and M. Mueller. 2011. The end of the Net as we know it? Deep packet inspection and Internet governance. New Media & Society. April 27. Available from: <http://nms.sagepub.com/content/early/2011/04/27/1461444811398031.full.pdf+html>.
Bridy, A. 2010. ACTA and the specter of graduated response. PIJIP Research Paper no. 2. American University, Washington College of Law. Washington, DC.
Carpenter, B. E., ed. 1996. Architectural principles of the Internet. RFC 1958. Network Working Group. Internet Engineering Task Force. Reston, VA. Available from:
Cesarini, L. and Cesarini, P. 2008. From Jefferson to Metallica to your campus: Copyright issues in student peer-to-peer file sharing. Journal of Technology Studies 34(1). Available from: <http://scholar.lib.vt.edu/ejournals/JOTS/v34/v34n1/cesarini.html>.
Chester, J. 2006. The End of the Internet? The Nation. February 1.
Communications Decency Act (CDA). § 230 (1996). Available from:
Court of Justice of the European Union. 2011. Case C-70/10 Scarlet v SABAM, Opinion of
Advocate General Cruz Villalón (April 14, 2011). Available from:
Crew, K. 2001. Case Summary- A&M Records, Inc. v. Napster, Inc.: Implications for the digital music library. Digital Music Library Project. Indianapolis, Indiana. Available from:
Danneels, E. 2004. Disruptive technology reconsidered: A research agenda. Journal of Product Innovation Management. 21: 246-258. Available from: <http://tourism.wu-wien.ac.at/lehrv/lven/05ws/lv4/danneels_disruptive.pdf>
De Beer, J. and C. D. Clemmer. 2009. Global trends in online copyright enforcement: A non-
neutral role for network intermediaries? Jurimetrics 49 (4): 375-409. Tempe: American Bar Association Section of Science & Technology Law and Sandra Day O’Connor College of Law.
Dharmapurikar, S., P. Krishnamurthy, T. Sproull, and J. Lockwood. 2004. Deep packet
inspection using parallel bloom filters. IEEE Micro 24(1): 52-61.
Disco, C. 2005. Back to the drawing board: Inventing a sociology of technology. 29-60. Inside the Politics of Technology: Agency and Normativity in the Co-Production of Technology and Society, edited by H. Harbers. Amsterdam: Amsterdam University Press.
Digital Millenium Copyright Act (DMCA) § 512 (1998). Available from:
A P2P, DMCA, & DMCA, & HEOA FAQ. 2011. Produced by Educause. 101 min. Webinar. Available from: <http://www.educause.edu/Resources AlphabetSoupAP2PDMCAandHEOAFAQ/228726>
European Commission. 2000. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ('Directive on electronic commerce'). Official Journal L 178 , 17/07/2000 P. 0001 – 0016. Available from: <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0031:EN:HTML>.
European Commission. 2004. Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. Official Journal of the European Union L 157 of 30 April 2004. Available from:
European Commission. 2009a. Agreement on EU Telecoms Reform paves way for stronger consumer rights, an open internet, a single European telecoms market and high-speed internet connections for all citizens, MEMO/09/491, Brussels, 5 November 2009. Available from:
European Commission. 2009b. Study on Online Copyright Enforcement and Data Protection in Selected Member States, November 2009. Brussels, 2009. Available from: <http://ec.europa.eu/internal_market/iprenforcement/docs/study-online-enforcement_en.pdf>.
European Commission. 2010a. Communication From The Commission To The European Parliament, The Council, The European Economic And Social Committee And The Committee Of The Regions: A Digital Agenda for Europe, COM(2010) 245 final/2, Brussels, 26 August 2010.
European Commission. 2010b. Stakeholders' dialogue on illegal up- and downloading, draft summary of meeting minutes (2 June 2010), Brussels, 2010.
European Commission. 2010c. Stakeholders' dialogue on illegal up- and downloading, draft summary of meeting minutes (1 July 2010), Brussels, 2010.
European Commission. 2010d. Study on Online Copyright Enforcement and Data Protection in Selected Member States, April 2010. Brussels, 2010. Available from: <http://ec.europa.eu/internal_market/iprenforcement/docs/study-online-enforcement_042010_
European Commission. 2010e. Report from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Application of Directive 2004/48/EC of the European Parliament and the Council of 29 April 2004 on the enforcement of intellectual property rights. COM(2010) 779 final. Brussels, 22.12.2010. Available from:
Gillespie, T. 2007. Wired shut: Copyright and the shape of digital culture. Cambridge, MA: MIT Press.
Green, K. 2007. Swiftboating higher education on P2P. Inside Higher Ed. November 15. Available from: <http://www.insidehighered.com/views/2007/11/15/green>.
Harbers, H., ed. 2005. Inside the Politics of Technology: Agency and Normativity in the Co-
Production of Technology and Society. Amsterdam: Amsterdam University Press.
Harrelson, W. C. 2010. Filtering the Internet to prevent copyright infringement: ISP safe harbors and secondary liability in the U.S. and France. New Matter. 35(1). Available from: <http://www.tobinlaw.us/announcements/harrelson.pdf>.
Horten, M. 2010. Where copyright enforcement and net neutrality collide - how the EU telecoms package supports two corporate political agendas for the Internet. PIJIP Research Paper no. 17. American University, Washington College of Law. Washington, DC. Available from: <http://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?article=1017&context=research>.
Horten, M. 2011. The Copyright Enforcement Enigma: Internet politics and the ‘telecoms
package.’ London: Palgrave MacMillan.
Hutty, M. 2010. Analysis of technical measures to suppress online copyright infringement. Presentation at the Stakeholders’ Dialogue on Illegal up and Downloading. 2 June. Brussels. Available from: <http://www.euroispa.org/files euroispa_x20copyright_x20dialogue_x20technical_x20measures.pdf>.
Kumar, S., J. Turner, and J. Williams. 2006. Advanced algorithms for fast and scalable deep packet inspection. Proceedings of IEEE/ACM ANCS '06 San Jose, California.
Lemley, M. A. and L. Lessig. 2000. The end of end-to-end: Preserving the architecture of the Internet in the broadband era. Social Science Research Network (SSRN), Stanford Law & Economics Olin Working Paper No. 207. Available from:
Lessig, L. 2005. Free culture: The nature and future of creativity. New York: Penguin.
Litman, J. 2001. Digital copyright. Amherst, NY: Prometheus.
McIntyre, T. 2008. SABAM v. Scarlet: Belgian ISP released from obligation to filter network for illegal downloads. IT Law in Ireland (Blog). October 26. Available from: <http://www.tjmcintyre.com/2008/10/sabam-v-scarlet-belgian-isp-released.html>.
McIntyre, T. J. 2009. Three strikes for Ireland - Eircom, music industry settle filtering case. IT Law in Ireland (Blog). January 29. Available from: <http://www.tjmcintyre.com/2009/01/three-strikes-for-ireland-eircom-music.html>.
Mochalski, K. and H. Schulze. 2009. Deep packet inspection: Technology, applications & net neutrality. Ipoque. Available from:<http://www.ipoque.com/sites/default/files/mediafiles/documents/white-paper-deep-packet-inspection.pdf>.
Mueller, M. L. 2010. Networks and states: The global politics of Internet governance. Cambridge, MA: MIT Press.
Riley, C. and B. Scott. 2009. Deep packet inspection: The end of the Internet as we know it?
Free Press. Available from: <http://www.freepress.net/files
Saltzer, R. H., D. P. Reed, and D.D. Clark. 1984. End-to-end arguments in system design. ACM Transactions on Computer Systems. 277-288.
Samuelson, P. 1996. Intellectual property rights and the global information economy. Communications of the ACM. 39(1).
Stallman, R. 2002. Free software, free society : selected essays of Richard M. Stallman. Boston: Free Software Foundation. Available from: <http://www.gnu.org/philosophy/fsfs/rms-essays.pdf>
Storch, J., and H. Wachs. 2011. A legal matter: Peer to peer file sharing, the Digital Millenium Copyright Act, and the Higher Education Opportunity Act: How Congress and the entertainment industry missed an opportunity to stem copyright infringement. Albany Law Review. 74(1): 313-360. Available from:
Vaidhyanathan, S. 2001. Copyrights and Copywrongs: The rise of intellectual property and how it threatens creativity. New York: New York University Press.
Vorhaus, D. and M. Bieberich. 2007. Knowledge is power: The role of deep packet inspection in generating new revenue streams.Yankee Group
Wada, K. 2008. Illegal file sharing 101. Educause Quarterly. 31(4). Available from:
1 Declaration of the European Ministers for Audiovisual Affairs and the Member of the Commission in charge of Information Society and Media attending the 2005 Europe Day at the Cannes Film Festival, 17 May 2005, http://ec.europa.eu/avpolicy/docs/other_actions/cannes_decl_2005_en.pdf
2 BEUC’s response to the Public Consultation on Network Neutrality, X/070/2010, 30 September 2010. BEUC’s response to the Public Consultation on the E-Commerce Directive, X/078/2010, 8 November 2010.
3 Guez, M. 2010. Technical measures in the context of the Hadopi Law (France). Société civile des producteurs phonographiques (SCPP). Presented at the Stakeholders' dialogue on illegal up- and downloading meeting on June 2, 2010, Brussels, http://fr.readwriteweb.com/wp-content/uploads/2010/09/Slides-SCPP.pdf
4 Consultation on Legislative Options to Address Illicit P2P File-Sharing, 2008 July, http://www.berr.gov.uk/files/file47139.pdf .
5 “MOU between ISPs and rights holders,” BPI, 24 July 2008,
6 BEUC’s Open letter to The Conciliation Committee on Telecom Package, X/073/2009, 15 October 2009.
BEUC’s 8 Priorities for the Spanish Presidency, X/080/2009, 09 November 2009.
7 European Parliament, Parliamentary questions. Answer given by Mr. Barnier on behalf of the Commission, 4 May 2010, http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2010-1910&language=EN
8 European Parliament, Parliamentary questions by Stavros Lambrinidis (S&D) and Sophia In ‘t Veld (ALDE) to the Commission, 26 March 2010, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+WQ+E-2010-1910+0+DOC+XML+V0//EN
9 Interview with European ISP, 10 November, 2010.
10 Questionnaire for the public consultation on the future of electronic commerce in the internal market and the implementation of the Directive on Electronic commerce (2000/31/EC), 10 August 2010, http://ec.europa.eu/internal_market/consultations/docs/2010/e-commerce/questionnaire_%20e-commerce_en.pdf
11 “European Commission may compel ISPs to combat users’ IP infringement,” OUT-LAW.COM, 6 January 2011, http://www.out-law.com/page-11703
12 Recording Industry Association of America, Inc., v. Verizon Internet Services, Inc., 19 December 2003, http://www.internetlibrary.com/pdf/RIAA-Verizon-DC-Cir.pdf
13 JCHEEC RFI focused on technology opportunities for addressing issues associated with peer-to-peer file sharing on the university and college campus, 23 April 2003, http://www.educause.edu/EDUCAUSE+Major+Initiatives/JointCommitteeoftheHigherEduca/RFIApril2003/1278
14 Background Discussion of Copyright Law and Potential Liability for Students Engaged in P2P File Sharing on University Networks, prepared by Michael J. Remington, Esq., Drinker Biddle & Reath LLP, for the Education Task Force of the JCHEEC, 8 August 2003, http://www.acenet.edu/AM/Template.cfm?Section=Home&CONTENTID=11008&TEMPLATE=/CM/ContentDisplay.cfm
15 University policies and practices addressing improper peer-to-peer file sharing, 2004 April. JCHEEC. http://www.acenet.edu/AM/Template.cfm?Section=Government_Relations_and_Public_Policy&template=/CM/ContentDisplay.cfm&ContentID=8503
16 JCHEEC letter to presidents from Penn State University president Graham Spanier and RIAA president Cary Sherman regarding illegal file sharing, 16 August 2005, http://www.acenet.edu/AM/Template.cfm?Section=Government_Relations_and_Public_Policy&template=/CM/ContentDisplay.cfm&ContentID=11754
17 Nick Semenkovich, “RIAA sends thirty pre-litigation letters over alleged music piracy,” The Tech, 12 October 2007, http://tech.mit.edu/V127/N45/riaa.html
18 Eliot Von Buskirk, “RIAA launches P2PLawsuits.com,” Wired, 27 February 2007, http://www.wired.com/listening_post/2007/02/riaa_launches_p/
19 Nate Anderson, “Another school says "no" to RIAA pre-litigation letters,” Ars Technica, 9 March 2011, http://arstechnica.com/tech-policy/news/2008/01/another-school-says-no-to-riaa-prelitigation-letters.ars
20 Nate Anderson, “New bill lets colleges use federal funds to fight P2P,” Ars Technica, 2 April 2007, http://arstechnica.com/tech-policy/news/2007/04/new-bill-lets-colleges-use-federal-funds-to-fight-p2p.ars
21 Brooks Boliek, “Politician eyes taxpayer money for piracy war,” Reuters, 29 March 2007, http://www.reuters.com/article/2007/03/29/industry-piracy-dc-idUSN2934796120070329
22 Infringement-Suppression Technologies- Summary Observations from a Common Solutions Group Workshop, 2 June 2008, http://www.stonesoup.org/docs/copyright-technology.pdf
23 Final HEOA Regulations Issued for P2P Provisions, 29 October 2009, http://www.educause.edu/blog/SLWorona/FinalHEOARegulationsIssuedforP/189008
24 Federal Register Part II: Dept. of Education 34 CFR Parts 600, 668, 675, et al. General and Non-Loan Programmatic Issues; Proposed Rule, 21 August 2009, http://edocket.access.gpo.gov/2009/pdf/E9-18550.pdf
25 Procera introduces PacketLogic smart campus, 12 October 2010, http://www.proceranetworks.com/recent-press-releases/668-procera-introduces-packetlogic-smart-campus.html
26 Audible Magic, “Audible magic solutions- colleges and universities”, http://audiblemagic.com/solutions-colleges.php
27 Interview with Chris Croad, Director of Information Security, Syracuse University, 23 February 2011.