CMU Cuts off Net Access for 71 Students Over MP3s

PresOdent writes "Carnegie Mellon University cut off network access to 71 students who allegedly put some copyrighted mp3s on their sites on the university's computer network. The university said it discovered the copyright violations last month, when it conducted surprise inspections of student computer files at the order of the Recording Industry Association of America. Read the article from the Chronicle of Higher Education for more info."

It's their network...

While they can't go in and confiscate the students' computers, they are within their rights to deny the students access to the network.

Who in their right mind shares illegal (I am assuming they were copyright infringing) mp3's without at least protecting them with a password???

Re:Sounds worse than it is

Well...

I agree with you in principle. I am a CMU student who didn't lose network access. And I support the actions of Computing Services. If RIAA had to do it, the school's ass would be on the line.

What raised the ire of many of the students (and prompted the action of the Student Senate, and other groups [such as the Student Dormitory Council]) was the violation of Computing Services's own guidelines. By guessing passwords (even if they were easy ones), they were not observing their own privacy statements.

In addition, students with legal MP3s were shut off. Also, students did not receive advance notice, nor did they receive adequate explanations of the actions taken.

--
Max V.

hrm...

The university said it discovered the copyright violations last month, when it conducted surprise inspections of student computer files at the behest of the Recording Industry Association of America.

If I was the head of a univeristy I wouldn't listen to the RIAA, even if they threatened to sue, because they could only bring legal action upon the students. It would be like if I hacked slashdot and put up an mp3 ftp site. The RIAA couldn't prosecute Rob or Hemos. They would find an prosecute me. People are so afraid of the RIAA. If I were in their shoes I would only listen to law enforcement officials.

Re:hrm...

This is a grey area, with the university possibly being responsible for the content within the pages, even if they didn't write them.

FWIW, I'm an admin at a university, and I'd do exactly the same if one of our students posted MP3's on the web.
--

What's funny is...

They were LESS liable for the behaviour of their students BEFORE they started snooping. Now that they've set a precedent of editorial control over content on their network, they will have to keep monitoring for and removing copyright violations (or potential violations, or libel, or obscenity, or any other forbidden-speech-du-jour) from now on.

Which is exactly what the RIAA wants, methinks.

What *REALLY* happened at CMU--article lied

There seems to be a few misconceptions about why people are upset about privacy violations. I'm a CMU student (not one of those involved), and I really think that the journalistic slant is ridiculous. People, you simply have no idea what is going on from that article.

The article said that people were putting up MP3s on Web sites. Uh, no. The university network administrations conducted a sweep of *Windows shared drives* looking for MP3s. Plenty of people have shared drives. Sharing a partition of your drive so that you can use it around campus (like listening to your MP3s in a computer cluster) is not equivalent to posting them to a Web site. Furthermore, the university deliberately broke into some of the computers they examined. Some of the shares were unpassworded. I supposed I can at least understand the university being upset about this, if the shares were obviously intended for public access. However, if CMU found what they deemed to be "dubious" computers, containing *passworded* shares with a name like "MP3", "MUSIC", they started running a password guesser on the computer until they got in.

Now, I can at least see accessing public shares. If they weren't designated as "for public use", that's one thing. But guessing passwords is unforgivable. Quite frankly, if I started trying to "guess" root passwords to the network administrators' computers, I'd be kicked off the network. Evidently, the fact that our computers happened to be connected to the network gives the network admins an idea that they have a right to break into our computers. They broke into some of our *privately owned* computers, into *passworded* segments of our computer that were obviously *not* public. This is blatently illegal, and the fact that CMU would do something like this at the urging of the RIAA disgusts me.

The news article was flat out wrong, and heavily biased toward the RIAA. I'm not impressed.

This sets a chilling prescedent. If I can say that some sort of content on a computer connected to my network is "dubious", then I would evidently have some sort of legal right to break in to private computers. This is, in my mind, not acceptable. If I have a share named "warez", can the university then legally break into my computer? What about one called "software"? What about one called "private project for MIT" (i.e. research not being done for CMU)?

Quite frankly, I hope the CMU network admins get sued under every computer trespassing law available. If CMU can do it (a traditionally level-headed place), *anyone* can legally examine your private computer.

Yes, it's their network...BUT...

What the Chronicle article fails to mention, or made factual mistakes with:


1) These files were NOT on student websites. They were on students' own machines shared via Microsoft Networking.

2) Many of the computers found "in violation" had their shares passworded. However, CMU tried to guess passwords when it ran into them. So if they could guess it, they considered it public access.

3) The uproar is not so much about the school trying to reduce mp3 sharing over their network, but the manner in which they did it. The CMU Computing Code of Ethics [cmu.edu] clearly states, "Every member of Carnegie Mellon has two basic rights: privacy and a fair share of resources. It is unethical for any other person to violate these rights...On shared computing systems, all user files and directories are considered to be private and confidential. Only files which a user has explicitly made public (e.g., by placing in a "public" directory) should be considered open for general access. Accessing and using files in another person's directory when not expressly permitted to do so by the owner is a violation of that person's privacy" The Code further states "Loopholes in computer systems or knowledge of a special password should not be used to alter computer systems, obtain extra resources or take resources from another person". Clearly what CMU has done, by going into folders not marked as public and guessing passwords has violated their own Code of Ethics. That has gotten a lot of people pretty upset. They followed the rules but lost access anyway.

4. The students affected could reduce the time they lost network access by a few weeks by going to a stupid "education" seminar to hear why copyright infringement is bad, and then write some paper along those lines. I think those that did that get their access back on Nov 14, or something like that.

5. Computing Services sent out an email to the student body giving their side of the event. You can find the text here [cmu.edu].

mp3s

I have a question...is it illegal to simply make MP3s of CDs I OWN and keep and don't distribute?

If not, can I be arrested by hanging my CDs on my front porch if somebody then takes them and copies them? Um, shouldn't it be THEM that get in trouble?

This is going a bit far. Really, I think RIAA and software companies use the "warez"-scare just to inflate their prices ("our product is so expensive because bad people are copying and not paying for it").

User 'mp3' pass 'mp3' != password protected

see above, if i can guess it, so can the hackers and the RIAA... but i believe this is tresspassing, and akin to picking a lot and saying 'it was a crappy lock', which is clearly illegal... CMU went too far here...

Just because somebody puts a password of 'mp3' on their share does *not* mean it's classified as private/password-protected. This is a very typical and normal way of setting up MP3 shares on anonymous FTP sites or Windows shares and, in my opinion, is essentially the same as "public access."

Don't think of it as a crappy lock, think of it as a code-word required for entry that's general knowledge. If the students really were protecting their files, they'd have used a real password. Their intent was to set it up for public access, which tips the scales against them. I believe there is a legal definition for 'password protected', and the intent of the owner to restrict access is a requirement. This is not the case here.

like some other schools, this email should have been sent out before the event, so that the kids would not have publicly shared the stuff!

At my previous university, in order to get campus ethernet, you had to agree to terms and conditions that required, in part, compliance with copyright laws. This should have been adequate warning. Just because some of your l33t hax0r mp3 friends are doing it and not getting caught doesn't mean you won't get caught either. You will have a hard time finding any of those students that didn't know what they were doing was illegal.

Not to sound evil here, but the university can do whatever the hell they like with their network connections. They don't *have* to have any proof of wrong-doing to nuke a connection. If they were in fact overzealous in their efforts, they were no doubt trying to send a "message" to the rest of the student body that these things won't be tolerated. The students in question will probably have their connections restored in short order.