November 6, 2002
Dear College or University President,
We are writing in regard to a series of letters you recently received on issues of copyright infringement and peer-to-peer (P2P) file trading networks.  The Electronic Privacy Information Center (EPIC) is a not-for-profit research center that focuses on the right to privacy and emerging civil liberties issues. We believe these issues require a circumspect analysis of the impact of network monitoring on privacy and academic freedom. While network monitoring is appropriate for certain purposes such as security and bandwidth management, the surveillance of individuals' Internet communications implicates important rights, and raises questions about the appropriate role of higher education institutions in policing private behavior.
We recommend that your institution carefully consider the issues recently detailed in a report by the National Science Foundation Logging and Monitoring Project (LAMP).  The LAMP report examines the intersection of network logging, privacy issues, and security risks. It also recognizes the unique environment of higher education institutions, and recommends caution when engaging in monitoring.
While the Recording Industry Association of America (RIAA) has legitimate interests in protecting against infringement, it is worth noting that copyright law sets limits on the exclusive rights of content owners, making some uses of protected material legal.  The copyright trade association approach has not always been sensitive to these different types of uses, while raising significant privacy and speech concerns.  Now, the RIAA wishes to involve colleges and universities in the process of policing the communicative activities of students, staff, and faculty in a way that is significantly outside institutional missions. For this reason, and the considerations listed below, we urge caution in adopting network monitoring and other similar methods to address concerns about infringement.
Network monitoring can have a chilling effect on the marketplace of ideas. It is critical that higher education institutions set policies that foster open-mindedness and critical inquiry. As Chief Justice Earl Warren noted in Sweezy v. New Hampshire, "Teachers and students must always remain free to inquire, to study and to evaluate, to gain new maturity and understanding; otherwise our civilization will stagnate and die." 
Monitoring the content of communications is fundamentally incompatible with the mission of educational institutions to foster critical thinking and exploration. Monitoring chills behavior, and can squelch creativity that must thrive in educational settings. Furthermore, in order to monitor at the level desired by the copyright industry--to detect file transfers "without authorization"--institutions would have to delve into the content and intended uses of almost every communication. Such a level of monitoring is not only impracticable; it is incompatible with intellectual freedom.
Monitoring individuals' network usage leads to data protection responsibilities. Monitoring of individuals' network usage habits generates records subject to a system of protections under the Federal Educational Rights and Privacy Act (FERPA).  In addition to the protections provided by FERPA, a 1997 report by CAUSE (Association for Managing and Using Information Resources in Higher Education) recommends a full system of Fair Information Practices (FIPs) for the treatment of these student records. This framework includes notification of policies; minimization of collection of data; limits on secondary use; nondisclosure and consent; a need to know before granting third parties access to data; data accuracy, inspection, and review; information security, integrity, and accountability; and education. 
Network monitoring appliances can be systems of general surveillance. The RIAA has recommended widespread use of network monitoring to manage P2P file sharing. These technical approaches can become systems of surveillance. Once installed on an institution's network, they could be used for copyright control today, and the control of ideas tomorrow. Institutions should not build in a network infrastructure that facilitates monitoring because "[w]hat may begin as logging activity to protect the efficient and effective functioning of one system can become targeted data collection and surveillance of a specific individual." 
Free environments shun technological controls on behavior. Because individuals at institutions of higher education must always remain free to inquire, colleges and universities are not the place for technological restrictions on communication. Institutions of higher education should not practice content monitoring, an approach that the controlled environments of corporate workplaces and kindergartens have adopted.
Further, institutions that simply install a network monitoring application circumvent deliberative academic policymaking. All stakeholders of the university--including students--must be involved in a process that recognizes the legitimate concerns of the copyright industry without unduly hindering academic freedom, privacy, and fair use rights. As Professor Virginia Rezmierski and Aline Soules have noted:
For a policy to be effective in guiding community behaviors, it must reflect the full range of the community's values, must be understood and embraced by community members, and must reinforce the most important values and the mission of the institution as a whole. An effective policy requires campus-wide discussion and the involvement of each of the major constituencies of the community. 
The purported privacy and security risks of P2P are largely red herrings. The copyright industry alleges that P2P programs jeopardize network security and privacy. While all network-enabled applications raise security concerns, P2P systems are not uniquely vulnerable and do not warrant special treatment on these grounds. Far more damage to data integrity and privacy results from exploits of Microsoft Outlook than from P2P applications. Academic institutions have not responded to Outlook-based security threats with prohibition or surveillance; instead, measures are put in place to limit entry of known threats and educate network users about appropriate protection measures.
Network surveillance and enforcement is likely to lead to an escalating network "arms race," potentially harming overall network integrity and performance. While P2P traffic currently travels over easily identifiable TCP ports, if these ports are blocked or unreasonably throttled, it is likely that this traffic will move to less easily filtered modes. Certain P2P clients already use port 80 (usually reserved for Web browsing) when they detect the presence of a firewall blocking other ports.  Furthermore, file sharing applications utilizing sophisticated encryption already exist,  and are likely to become widely deployed in response to efforts to limit these systems. Academic institutions should not adopt a confrontational role with respect to these technologies. By permitting reasonable use of these applications, they can ensure that the traffic remains identifiable for purposes of efficient bandwidth allocation without the use of needlessly privacy-invasive techniques.
Under current law, educational institutions are required to take down infringing content hosted on a university Web server. These provisions provide an adequate remedy to address online infringement. But this new proposal would shift the burden to colleges and universities to devote scarce resources to monitoring online communications and to identifying and "prosecuting" individuals suspected of using P2P networks to commit copyright violations. This is neither a reasonable nor an appropriate burden to place on institutions of higher education. Refusing to accept this burden will not leave the copyright trade associations without recourse in cases of infringement via P2P networks; instead, the power to authorize policing and adjudicate guilt or innocence will remain where it belongs, in the courts. If a copyright owner suspects such infringement, it can initiate a lawsuit against the suspected wrongdoer.
We recommend that institutions take a careful approach to addressing the legitimate concerns of the copyright industry. We also recommend that institutions not adopt privacy-invasive technologies or policies that impinge upon academic freedom and privacy in order to address those concerns. Network monitoring for bandwidth management is appropriate, but monitoring of individuals' activities does not comport with higher education values.
Mary A. Burgan, American Association of University Professors
Judith Boettcher, Corporation for Research and Educational Networking
Alan Charles Kors, Foundation for Individual Rights in Education
Robert Paterson, SIGUCCS, Association for Computing Machinery
Julie Beatty, United States Student Association
Jackie Tyson, National Association of Graduate-Professional Students
 Letter from Hillary Rosen, Chairman and CEO, Recording Industry Association of America, to College and University Presidents (Oct. 3, 2002), at http://www.riaa.com/pdf/Universityletter.pdf; Letter from David Ward, President, American Council on Education, to College and University Presidents (Oct. 9, 2002), at http://www.riaa.com/pdf/Copyrightletter.pdf. Virginia E. Rezmierski & Nathaniel St. Clair, II, Identifying Where Technology Logging and Monitoring for Increased Security Ends and Violations of Personal Privacy and Student Records Begin, Final Report of the National Science Foundation Logging and Monitoring Project (2001), at http://www.aacrao.org/publications/catalog/NSF-LAMP.pdf. See 17 U.S.C. §§ 107-122, 1008. Jessica Litman, War Stories, 20 Cardozo Arts & Entertainment Law Journal 337 (2002) (forthcoming), at http://www.law.wayne.edu/litman/papers/warstories.pdf; John Markoff, Scientists Drop Plan to Present Music-Copying Study That Record Industry Opposed, New York Times, Apr. 27, 2001; Legal Concerns Delay Publication of Research on 'Digital Watermarks,' Chronicle of Higher Education, Feb, 9, 2001. 354 U.S. 234 (1957). 20 U.S.C. § 1232g. Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities, CAUSE, April 1997, at http://www.educause.edu/ir/library/pdf/pub3102.pdf. Rezmierski & St. Clair at 1.2. Further, "College and university communities are vulnerable to unwitting as well as purposeful abuses of network and information systems." Id. at 1.1. Virginia E. Rezmierski & Aline Soules, Security vs. Anonymity: The Debate over User Authentication and Information Access, EDUCAUSE Review (March/April 2000), at http://www.educause.edu/ir/library/pdf/ERM0022.pdf