The Catholic University of America









The Higher Education Opportunity Act (HEOA), enacted on August 14, 2008, creates new requirements for colleges and universities regarding peer-to-peer (P2P) file sharing. The law and its implementing regulations require student notification of copyright law and its associated penalties, and the establishment of a coherent plan to address P2P activity on campuses. This NACUANOTE discusses the new HEOA requirements established in the statute and regulations, their relation to current legal requirements, and what colleges must do to comply.



It’s Tricky [1]: Current DMCA Requirements for Colleges

Those colleges and universities that directly provide some form of Internet access qualify as Internet Service Providers (ISPs). Like their commercial counterparts, college ISP’s are eligible for the legal protections afforded by the Digital Millennium Copyright Act (DMCA), including safe harbors from liability due to their users’ activities.

To qualify for all of the safe harbors enumerated in the legislation, universities must take some proactive steps. Universities must have a policy or program that terminates repeat infringers and must not prevent copyright owners’ efforts to locate and protect their intellectual property [2]. The requirements distinguish between college-owned devices [3] and personal devices [4].

Send Lawyers, Guns & Money: Congress and the HEOA [5]

In 2008, Congress passed, and President Bush signed, the Higher Education Opportunity Act [6], an amendment to the Higher Education Act of 1965 [7]. Included in the hundreds of pages of the Act, within the section governing Title IV Financial Aid, are short paragraphs requiring all colleges that accept federal financial aid to take steps to stem the spread of peer-to-peer file sharing. The Department of Education (the Department) issued proposed [8] and final [9] regulations on preventing peer-to-peer file sharing in 2009. The regulations reflect compromises reached during earlier negotiated rulemaking sessions with representatives of the entertainment industry and higher education [10] and officially took effect July 1, 2010. Before then, colleges were simply required to make “best efforts” to comply with the statute.

Two Step [11] to Comply: P2P in the Higher Education Opportunity Act

HEOA includes two sections; referred to herein as a "notification" requirement [12] and a "written plan" requirement [13] that affect peer-to-peer file sharing. The Congressional Record that accompanied passage of the statute provides some context to Congress’ intent in crafting this language [14].

Regulate [15]: The Final Regulations on P2P

The final Department P2P regulations clarify the statutory language by further detailing what constitutes actual compliance on a campus. The notification requirements were virtually unchanged [16]. The written plan requirements, however, are far more detailed [17].

The Times They Are a Changin’ [18]: Complying with the New Requirements

Contrary to initial concerns, the new regulations do not require significant expenditures to comply. Colleges do not have to purchase technology-based deterrents and most colleges will not have to expend additional funds or acquire new hardware or software to comply. Rather, the regulations require notification to students, some organization and policy drafting by each college or university, and a decision on whether and how it will comply with the technology-based deterrents requirement, often by continuing current administrative practice.

The Department states that the final regulations only apply to colleges that provide students with "school-maintained and operated internet services," thus exempting those institutions that provide no Internet service [19].


P2P notification will accompany the many other notifications printed (or digitally created) annually in a student handbook or similar document [20]. It consists of three parts: a statement that unauthorized distribution of copyrighted material may bring civil and criminal penalties, a summary of the penalties for violating copyright law, and a description of the college’s specific policies. In June 2010, the Department published a “Dear Colleague” letter summarizing the regulatory requirements, and offering sample language, developed in conjunction with the content industry and colleges, that colleges may use to meet the notification requirement [21]. In the interim and in addition to that sample, other samples appear in this note [22]. The institution need not provide such notice to faculty and staff [23].

Written Plan

If your college does not have a written plan to handle file sharing, the regulations require your college to draft one [24]. The regulations state that these plans do not need to be all encompassing or interfere with your college’s educational or research business practices [25]. The Department specifies that any written plan must apply to all users of a college’s network (including faculty, staff, contractors, and guests), not simply to student users [26].

  • Education

    The written plans must include an educational component. The proposed Regulations stated somewhat opaquely that educating mechanisms “could include any additional information and approaches determined by the institution to contribute to the effectiveness of the plan, such as including pertinent information in student handbooks, honor codes, and codes of conduct in addition to e-mail and/or paper disclosures [27].” Colleges across the country have taken different approaches to educating their students. Cornell, for example, employs an educational video using real students [28], and the University of Michigan has developed “BAYU” or “Be Aware You’re Uploading,” an educational and action system that tracks uploading of content and notifies users that they may be uploading in violation of the law [29]. Your college may use similar or different mechanisms to notify students about appropriate and inappropriate use of copyrighted material, but your college’s tactics should reflect its culture and values.
  • Responding to Unauthorized Distribution of Copyrighted Material

    Your written plan must include procedures for handling unauthorized distribution of material (read: illegal file sharing), including the use of your college’s student disciplinary process. The regulations do not require that the institution actively monitor networks or seek out students to discipline. However, when the issue is brought to the attention of the college, typically by means of a valid DMCA notice, the college must have written procedures for handling the matter, usually, by removing the student from the network, at least temporarily, asking them to remove the offending file from their computer or stop sharing that file, and potentially using the college disciplinary process.

    College disciplinary procedures for illegal file sharing are as diverse as colleges themselves. Some terminate students from the network for short amounts of time, others for longer. Some colleges refuse to terminate students from the network during final exam or study periods. Others charge students a fee to reconnect to the network; sometimes that fee escalates for repeat offenders [30]. Some colleges ask their judicial affairs department to discipline accused students while others leave the discipline to IT professionals [31]. At other institutions, first offenses are handled by IT professionals and subsequent offenses are handled by student affairs administrators. The regulations do not specify how a college must use its disciplinary process for illegal file sharing, just that discipline must be a potential part of the process, at least for certain cases.
  • Technology-based Deterrents

    The institution’s written plan must include the use of one or more technology-based deterrents [32]. Institutions are offered several options for such deterrents, and the regulations state plainly that they do not favor one technology over another [33]. Some technological options are hardware and software blocking packages, aggressive manual (or automatic) processing of DMCA notices, dialing down bandwidth and packet shaping. Each of the above-referenced methods interacts at a different level with network operations. The feasibility of implementing each method will vary from institution to institution. Some examples of technology-based deterrents are:
    • Packet Shaping: Packet shaping works to “shape” the speed of data over the institution’s network. These technologies classify, analyze, and manage the bandwidth, giving priority to certain types of data, such as e-mail while de-prioritizing other types of data, such as shared files [34].
    • Content Filters: Content filters in the form of hardware and software solutions are generally considered the most intrusive and costly of the technology-based deterrent options. These filters are placed directly on the network and scan all network traffic seeking matches to the digital “fingerprints” stored in the device. Files that are a match to these fingerprints are blocked [35].
    • Low-tech Options: Accepting and responding to DMCA notices, as outlined in the notes to § I above. The Automated Copyright Notice System, developed in 2003 by NBC Universal and Universal Music Group (UMG) with support from Disney, provides a technical framework for the automated processing of DMCA notices [36]. Many schools have implemented ACNS, or built onto it, to move away from the time and resource consuming manual processing of the notices [37]. Others handle the process manually.


  • Legal Alternatives for Downloading Copyrighted Material

    The regulations also require that institutions periodically review the current state of legal alternatives for downloading or otherwise acquiring copyrighted material and publish that review on a college Web site or otherwise distribute that information to students. EDUCAUSE makes a list of known legal file sharing alternatives available to the higher education community [38]. Inasmuch as few colleges have the staff to monitor the industry the way EDUCAUSE does, a link to their list may assist institutions in staying in compliance with this requirement as technology and the industry change.

    In addition to publishing the list of legal alternatives, the regulations require that institutions also offer legal alternatives for downloading or otherwise acquiring copyrighted content, “to the extent practicable”. The Department has commented that simply not blocking legal alternatives does not satisfy the requirements, as it is not the same as making legal alternatives available [39]. In a “Dear Colleague” letter issued in June, 2010 the Department reaffirmed that legal alternatives need only be made available to the extent practicable, but provided no further guidance [40]. The road to offering legal downloading alternatives to college students is paved with a lot of mis-starts and failed attempts such as the re-branded Napster, Roxio, and Ruckus [41]. Companies of more recent vintage are meeting with colleges and universities seeking takers for new business models [42].
  • Periodic Review of Written Plan

    Finally, the written plan must include language that requires periodic review of said plan to determine its continuing effectiveness. The proposed regulation stated that “[i]t would be left to each institution to determine what relevant assessment criteria are, [43]” although nothing in the language of the proposed or final regulations defines how long “periodic” is. An annual review of the college’s plan, prior to the annual publication, and in consideration of changes in the technologies and student habits and behaviors, would seem to be reasonable. Some institutions may use a “process-based review” while others find an “outcome-based review” more satisfactory [44].

The Next Episode [45]

While it is unlikely that the regulation’s requirements will be amended in the near term, the entertainment industry continues to seek federal protection from digital content sharing in order to maintain its market share [46]. Concurrently, the industry is using a state-by-state campaign to enact statutes that may require even more effort by colleges and universities [47]. Such state laws may create different requirements for public and private colleges in certain states. Finally, several private and industry groups look to work with colleges to provide legal downloading alternatives.


Closing Time [48]: Final Thoughts on Compliance

College and university attorneys, and the policy makers with whom they work, should consider the unique environment at each institution and craft their compliance with an eye toward that environment and the lessons the institution wishes to impart to its students, while not demonizing any specific technology [49]. While it is perfectly acceptable for a college to use the sample notices provided here or in the Federal Financial Aid Handbook, or to draft a notice that reads like the first screen on a DVD [50], the broad regulations also provide an opportunity to share the college’s values on intellectual property and to educate your students on the distinctions between legal and illegal uses of other’s creative works. Remember that your institution is likely a major creator and user of intellectual property, and may even occasionally avail itself of the protections provided by the law. Further, the written plan requirements provide opportunities to educate students on fair use, property rights, and some of the thorny ethical issues that arise in the digital era. While compliance with the laws and regulations will not be onerously difficult for most colleges, a little creativity will go a long way toward preparing your students for a digital world peppered with questions of creation, ownership and sharing of data and content.