File-sharing lawsuits raise privacy questions about College network

Students may not be safe from lawsuits, which the Recording Industry Association of America (RIAA) is threatening to bring against users of file sharing services such as Kazaa.

Now, these concerns are swiftly rising at the College, despite reassurances by Mark Berman, director of Networks and Systems, that the College does not record any information about individuals’ internet activity.

The RIAA is able to bring lawsuits, such as those filed last week against 261 individual file sharers. The RIAA found its targets by watching the file sharing networks for illegal activity and then identifying the IP addresses of the computers participating. The IP address is a unique number assigned to each user by his Internet Service Provider (ISP) for use while connected to the Internet. Only the ISP can match up users with IP addresses, but the RIAA was able to subpoena those records and thus hold individuals accountable.

At the College, there have been concerns that not only can IP addresses be matched to users, but that the College may have much more complete data about users’ online activity, including the sites they have visited, which other computers they have connected to and the nature of the files they have downloaded.

According to Berman, these concerns are completely unfounded. “We do not collect any information – other than general statistical data – about students’ computers and online activity,” Berman said, although the College keeps careful watch of the traffic going in and out of the campus network in order to identify possible viruses or hacking attempts.

If the RIAA were to try to subpoena information from the College about the activity of individual students, Berman was adamant that it “wouldn’t even have anything to give them.”

Yet, according to other administrators, it turns out that the College compiles an enormous amount of data about each student’s online activity and those records are kept for up to eight months. Peter Charbonneau, senior Networks & Systems administrator, explained that the Office of Information Technology (OIT) uses an intrusion detection system called Snort to monitor all network traffic for signs of viruses and hacking attempts. But any connection that is maintained for an extended period of time between a computer on the College network and a computer on the Internet shows the symptoms of suspicious activity. Thus, every time a student connects to a file sharing network or to AOL Instant Messenger, Snort takes note and logs the connection.

Therefore, every file download that every student has made for the past eight months is stored by OIT, including the address of the computer to which the student connected, the duration of the transfer and even the first 86 bytes of the file itself (which contains whatever information is stored first in the file, such as the file name or the beginning of a song). The eight months for which the information is stored is a purely arbitrary time period, corresponding to the time it takes for the information to fill up Charbonneau’s hard drive.

According to Charbonneau, each student is assigned a single IP address for all four years and the College knows which IP address is associated with which user.

Contrary to Berman’s claim that the College’s response to an RIAA subpoena would be that they didn’t “have anything to give them,” the College can in fact connect a student’s name to the number that has identified him on the Internet for his entire career at the College. For the prior eight months, the College can also provide the details of what file sharing servers the student has connected to, for how long and what the beginning of each file looked like. Charbonneau said that all of that information would be released to the government or the RIAA, “if forced to by law or by the administration.”

Dinny Taylor, chief technology officer, elaborated on the College’s policy. If the RIAA were to request records of student activity, “we would not give out that information,” she said. “If they came with a subpoena we would go to senior staff and, if together we felt it were appropriate, we would probably go to legal council. . . We haven’t yet had to bring in lawyers to help us figure that out.”

Although the initial series of RIAA lawsuits focused only on users who had made more than 1,000 copyrighted files available for download, the industry has threatened thousands more lawsuits if the popularity of file sharing persists. In the past, colleges have been popular targets for efforts to crack down on file sharing.

But although the RIAA has filed several high-profile lawsuits against colleges and their students in recent months, it has been more focused on working with these schools to prohibit the practice altogether.

Taylor hopes that the College will soon take steps in that direction. In the meantime, students can only wait and see whether the next wave of lawsuits reaches all the way to the Berkshires.