Oregon Attorney General Takes on RIAA Over P2P Unmasking

Chief among the motion’s legal arguments is that the Family Education Rights and Privacy Act (FERPA) prohibits the release of information demanded by the RIAA. The same argument has been raised by student defendants around the country trying to quash subpoenas. Myers also said the John Doe defendants aren’t “readily identifiable from existing records,” the subpoena language is “overbroad,” and the DMCA is the only way for the RIAA to get the information, not through the Rule 45 subpoena it filed.

Showing that the school is sympathetic to the RIAA’s economic plight, Myers said “the university itself is a producer and owner of valuable intellectual property and devotes significant resources to preventing and deterring the infringement of intellectual property rights.” But the university is irked that the RIAA got the subpoena in part by telling the court there’s a “very real danger the ISP [the university] will not long preserve the information” sought. School officials promised the RIAA, which came to them before filing the ex parte, they would preserve the evidence, Myers said.

A more practical consideration for the school is nailing down the users at the IP addresses flagged by the RIAA. In an affidavit, Dale Smith, University of Oregon director of network services, said five of the 17 defendants used P2P services from double-occupancy rooms, so his staff can identify only which room and whether a Mac or PC used P2P services. Another two were in single-occupancy rooms. Whether single or double rooms, a visitor to the rooms, not their residents, could have been doing any file-swapping, since the university doesn’t have login or personally identifiable information, Smith said. The other defendants used P2P services through the campus wireless network, which records a user name upon login, but again the school can’t tell if the person registered to that name is actually on the other end, he said. It’s not possible to identify 16 of the 17 defendants without interviews and forensic investigations of the “computers likely involved.” The latter is “something the university has no right to do,” Myers said in the motion to quash.

University of Oregon information technology department employees could be covered by the RIAA’s subpoena, Hardy said, as well as data on computers associated with the flagged IP addresses. Asking for information “sufficient to identify the alleged infringers,” as RIAA did, without any qualification by date, time and location, could affect a broad swath of the dorms.

FERPA can’t be used by the RIAA to get student records because the school can’t identify them with any accuracy, the motion said, which would violate FERPA’s notice rules. The RIAA recently asked a judge in another student-unmasking case to rule that the trade group need only show “relevance” to get student records under a court order (WID Oct 19 p6). Oregon Administrative Rules mirror FERPA in state law, Myers said.

Myers cited another recent decision in Alexandria, Va., federal court that shot down the RIAA’s Rule 45 subpoena as inappropriate for getting student records (WID July 17 p8). The DMCA’s subpoena process was set up explicitly as an alternative to Rule 45 and has a more rigorous process for approval, he said. Myers cited the ruling in the seminal RIAA v. Verizon case from 2003, often cited by both sides in P2P litigation, which said nothing in the DMCA “contemplated” the use of John Doe subpoenas.

The university asked for the ability to take limited discovery of the RIAA and its agents. Officials want to serve interrogatories to the RIAA to find out what additional information the group claims to have that nails down the John Doe defendants, and to conduct depositions on staff at MediaSentry, the RIAA’s investigator. The RIAA is trying to “co-opt the university to investigate their case for them,” so the school at least needs the same investigatory powers as the RIAA has been granted, Myers said.