PB/INFO/077 (06/09)

The Janet Acceptable Use Policy (AUP) identifies infringement of copyright as an unacceptable use of the network (paragraph 16). The creation or transmission of any material which infringes the copyright of another person would be a breach of the AUP. Janet-connected organisations are required by the Terms and Conditions for the Use of the Janet Network to take reasonable steps to ensure that users comply with the AUP, in particular to ensure that any unacceptable use of the network, including copyright misuse, is investigated promptly and dealt with effectively should it occur.

Rights-holders and their agents are increasingly monitoring peer-to-peer networks and other Internet services to detect breaches of their intellectual property rights. This factsheet aims to help Janet-connected organisations respond effectively to these complaints.

Receiving Complaints

Complaints relating to IP addresses are generally sent to the e-mail contact(s) listed in the RIPE IP address database (http://www.db.ripe.net/whois). Complaints about particular servers may also be sent to the advertised contacts for those services (e.g. webmaster for web servers). Occasionally, complaints are sent to Janet CSIRT, though this is a less direct route as Janet CSIRT does not have access to logs or other records required for an investigation. Such complaints will be passed to the organisation's registered security contact to be dealt with.

Organisations should therefore ensure that contact details for all their public IP address ranges are up-to-date (different address ranges may have separate contact details listed: Updates to contact details for IP address ranges may be sent to ipaddress@ja.net), that e-mail to these addresses is read frequently, and that those reading it know how to deal with copyright complaints.

Responding to Complaints

Complaints of copyright misuse should include at least the complete IP address (or web URL etc.) of the alleged breach and date and time, or range of times, when the alleged breach occurred. Times should include the time zone in [GMT +0100] format. Many organisations connect to Janet through proxies or network address translation devices and these are more likely to be able to identify the responsible individual if the complaint includes full details of both ends of the connection over which the copyright material was transferred. Prompt complaints, made soon after the event, are more likely to result in successful investigations.

Complaints should also include a working e-mail address to which responses may be sent. This may be used to request further details if insufficient information has been provided. Where complete information has been provided, organisations should respond to confirm that the complaint has been received and will be investigated in line with the Janet AUP and organisational acceptable use policies.

A set of standard responses to copyright infringement notices has been developed in collaboration with UCISA's Networking Group.

Dealing with Complaints

Having received a complaint of copyright misuse, Janet-connected organisations are required to investigate it and should ensure that their local policies support this. Investigation will normally involve the organisation matching the complaint against its own information, such as server, authentication, DHCP and network flow logs. As discussed in the Janet Technical Guide on Logfiles, organisations should normally keep sufficient logs to enable them to link activity on Janet to a responsible individual.

If these logs appear consistent with the complaint, the organisation should identify the responsible individual and contact them to ensure that if a copyright breach has occurred then it stops and is not repeated. If the organisation's logs indicate that the complaint may be incorrect or mis-directed, the organisation should inform the reporter so that they can improve their detection and reporting systems.

If a complaint relates to a visiting user from another member of the eduroam federation then the organisation should forward it to be dealt with under the eduroam policy.

If a user has committed a breach of copyright or of good security practice (for example by allowing others to use their account), the complaint provides an opportunity to warn them of the need to act responsibly in future. Many sites have also reported good results from using these users as ambassadors to spread good practice among their friends and colleagues. This can be an effective way to reduce copyright breaches and improve compliance with the Janet AUP.

Disclosing Information

The Janet-connected organisation's obligations under the AUP will be satisfied once it has taken effective action to stop the reported copyright infringement and to discourage future breaches.

Rights-holders will normally also consider this action sufficient. In the most serious cases, however, rights-holders may wish to take legal action against the individuals responsible. In criminal cases the police can issue a notice under section 22 of the Regulation of Investigatory Powers Act 2000 requiring the organisation to disclose the identity of the user associated with a username or IP address. In civil cases the courts can make orders (known as Norwich Pharmacal orders) with the same effect. Any organisation receiving either a notice or an order must comply if it is able to.

Schedule 2 of the Data Protection Act 1998 also permits (but does not require) an organisation to identify an individual user if it wishes to do so and is satisfied both that this is necessary for the legitimate interests of the rights-holder and that it does not prejudice the rights or legitimate interests of the user. Organisations considering using this power should declare this in their registration with the Information Commissioner and the Fair Processing Notices they give to users, and should take care to comply with their obligations under the Data Protection Act 1998 when using this route, in order to avoid any risk of legal liability. The Information Commissioner’s good practice note on disclosing information to private investigators explains the issues that may arise.

Conclusion

Janet intends to continue to work with rights-holders and connected sites to ensure that processes for reducing copyright misuse are effective. Any comments or suggestions for improvements should be sent to Janet's Chief Regulatory Adviser (Andrew.Cormack@ja.net) and any problems with individual complaints to Janet CSIRT (irt@csirt.ja.net).