The Catholic University of America









The Higher Education Opportunity Act (HEOA), enacted on August 14, 2008, creates new requirements for colleges and universities regarding peer-to-peer (P2P) file sharing. The law and its implementing regulations require student notification of copyright law and its associated penalties, and the establishment of a coherent plan to address P2P activity on campuses. This NACUANOTE discusses the new HEOA requirements established in the statute and regulations, their relation to current legal requirements, and what colleges must do to comply.



It’s Tricky [1]: Current DMCA Requirements for Colleges

Those colleges and universities that directly provide some form of Internet access qualify as Internet Service Providers (ISPs). Like their commercial counterparts, college ISP’s are eligible for the legal protections afforded by the Digital Millennium Copyright Act (DMCA), including safe harbors from liability due to their users’ activities.

To qualify for all of the safe harbors enumerated in the legislation, universities must take some proactive steps. Universities must have a policy or program that terminates repeat infringers and must not prevent copyright owners’ efforts to locate and protect their intellectual property [2]. The requirements distinguish between college-owned devices [3] and personal devices [4].

Send Lawyers, Guns & Money: Congress and the HEOA [5]

In 2008, Congress passed, and President Bush signed, the Higher Education Opportunity Act [6], an amendment to the Higher Education Act of 1965 [7]. Included in the hundreds of pages of the Act, within the section governing Title IV Financial Aid, are short paragraphs requiring all colleges that accept federal financial aid to take steps to stem the spread of peer-to-peer file sharing. The Department of Education (the Department) issued proposed [8] and final [9] regulations on preventing peer-to-peer file sharing in 2009. The regulations reflect compromises reached during earlier negotiated rulemaking sessions with representatives of the entertainment industry and higher education [10] and officially took effect July 1, 2010. Before then, colleges were simply required to make “best efforts” to comply with the statute.

Two Step [11] to Comply: P2P in the Higher Education Opportunity Act

HEOA includes two sections; referred to herein as a "notification" requirement [12] and a "written plan" requirement [13] that affect peer-to-peer file sharing. The Congressional Record that accompanied passage of the statute provides some context to Congress’ intent in crafting this language [14].

Regulate [15]: The Final Regulations on P2P

The final Department P2P regulations clarify the statutory language by further detailing what constitutes actual compliance on a campus. The notification requirements were virtually unchanged [16]. The written plan requirements, however, are far more detailed [17].

The Times They Are a Changin’ [18]: Complying with the New Requirements

Contrary to initial concerns, the new regulations do not require significant expenditures to comply. Colleges do not have to purchase technology-based deterrents and most colleges will not have to expend additional funds or acquire new hardware or software to comply. Rather, the regulations require notification to students, some organization and policy drafting by each college or university, and a decision on whether and how it will comply with the technology-based deterrents requirement, often by continuing current administrative practice.

The Department states that the final regulations only apply to colleges that provide students with "school-maintained and operated internet services," thus exempting those institutions that provide no Internet service [19].


P2P notification will accompany the many other notifications printed (or digitally created) annually in a student handbook or similar document [20]. It consists of three parts: a statement that unauthorized distribution of copyrighted material may bring civil and criminal penalties, a summary of the penalties for violating copyright law, and a description of the college’s specific policies. In June 2010, the Department published a “Dear Colleague” letter summarizing the regulatory requirements, and offering sample language, developed in conjunction with the content industry and colleges, that colleges may use to meet the notification requirement [21]. In the interim and in addition to that sample, other samples appear in this note [22]. The institution need not provide such notice to faculty and staff [23].

Written Plan

If your college does not have a written plan to handle file sharing, the regulations require your college to draft one [24]. The regulations state that these plans do not need to be all encompassing or interfere with your college’s educational or research business practices [25]. The Department specifies that any written plan must apply to all users of a college’s network (including faculty, staff, contractors, and guests), not simply to student users [26].

  • Education

    The written plans must include an educational component. The proposed Regulations stated somewhat opaquely that educating mechanisms “could include any additional information and approaches determined by the institution to contribute to the effectiveness of the plan, such as including pertinent information in student handbooks, honor codes, and codes of conduct in addition to e-mail and/or paper disclosures [27].” Colleges across the country have taken different approaches to educating their students. Cornell, for example, employs an educational video using real students [28], and the University of Michigan has developed “BAYU” or “Be Aware You’re Uploading,” an educational and action system that tracks uploading of content and notifies users that they may be uploading in violation of the law [29]. Your college may use similar or different mechanisms to notify students about appropriate and inappropriate use of copyrighted material, but your college’s tactics should reflect its culture and values.
  • Responding to Unauthorized Distribution of Copyrighted Material

    Your written plan must include procedures for handling unauthorized distribution of material (read: illegal file sharing), including the use of your college’s student disciplinary process. The regulations do not require that the institution actively monitor networks or seek out students to discipline. However, when the issue is brought to the attention of the college, typically by means of a valid DMCA notice, the college must have written procedures for handling the matter, usually, by removing the student from the network, at least temporarily, asking them to remove the offending file from their computer or stop sharing that file, and potentially using the college disciplinary process.

    College disciplinary procedures for illegal file sharing are as diverse as colleges themselves. Some terminate students from the network for short amounts of time, others for longer. Some colleges refuse to terminate students from the network during final exam or study periods. Others charge students a fee to reconnect to the network; sometimes that fee escalates for repeat offenders [30]. Some colleges ask their judicial affairs department to discipline accused students while others leave the discipline to IT professionals [31]. At other institutions, first offenses are handled by IT professionals and subsequent offenses are handled by student affairs administrators. The regulations do not specify how a college must use its disciplinary process for illegal file sharing, just that discipline must be a potential part of the process, at least for certain cases.
  • Technology-based Deterrents

    The institution’s written plan must include the use of one or more technology-based deterrents [32]. Institutions are offered several options for such deterrents, and the regulations state plainly that they do not favor one technology over another [33]. Some technological options are hardware and software blocking packages, aggressive manual (or automatic) processing of DMCA notices, dialing down bandwidth and packet shaping. Each of the above-referenced methods interacts at a different level with network operations. The feasibility of implementing each method will vary from institution to institution. Some examples of technology-based deterrents are:
    • Packet Shaping: Packet shaping works to “shape” the speed of data over the institution’s network. These technologies classify, analyze, and manage the bandwidth, giving priority to certain types of data, such as e-mail while de-prioritizing other types of data, such as shared files [34].
    • Content Filters: Content filters in the form of hardware and software solutions are generally considered the most intrusive and costly of the technology-based deterrent options. These filters are placed