[unisog] RIAA in violation of DMCA requirements?

Christopher E. Cramer chris.cramer at duke.edu
Tue Oct 4 18:34:51 GMT 2005

Keep in mind 2 things:

1) The law does not say digital signature.  In fact, the law is entirely 
vague regarding what constitutes a signature.  It requires a "physical or 
electronic signature of a person authorized to act on behalf of the owner 
of an exclusive right that is allegedly infringed."  So, the question is, 
what is an electronic signature.  Is my .sig file at the end of this email 
an electronic signature?  Is my typing my name an electronic signature?  
Or does it have to be a digital signature in the cryptographic sense?  

Frankly, I wouldn't want to be the test case arguing that it must be the 

2) To a large extent these notices are not legally relevant for alleged
p2p infringement.  Section 512(c) which contains the provisions for
notification is only for material residing on the servers of an ISP.  The
notifications aren't relevant for allegedly infringing material traversing
our networks.  These conduit activities are covered under section 512(a)
which does not discuss notification and take down procedures.

So, I think that it is reasonable to treat these as a useful educational 
opportunity for talking to students without considering them to be legally 
binding on your university.

Of course, you should talk to your lawyers before taking that position :)


Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528

On Tue, 4 Oct 2005, Mark Boolootian wrote:

> The below is a post made to the Resnet mailing list that talks
> about DMCA complaints that we've received from the RIAA and
> their lack of a valid digital signature.  In fact, I don't 
> believe any of the organizations that have lodged copyright
> complaints have ever provided anything that resembled a digital
> signature (mediasentry, sony, paramount, universal studios, etc).
> It's a bit surprising this issue hasn't received any visibility, 
> as it suggests that all these groups are operating in violation 
> of the requirements set forth in the DMCA.
> ---
> Date:         Mon, 26 Sep 2005 18:23:42 -0700
> >From:         Jim Warner <warner at cats.UCSC.EDU>
> Subject:      RIAA complaint signatures
> We have been receiving RIAA complaints that carry an attachment
> "signature.cer".  The contents of this attachment is the same on
> every message.  It does not contain a signature.  I'd be
> interested in hearing from anyone on this list that has
> received signed complaints from the RIAA that has verified
> the signature.  Below the line is my reading of the law
> and why this is important.  I'd be interested to hear any
> comments.  Please understand that I'm not a lawyer -- just
> trying to get my arms around this stuff.  Thanks.
> ================================================
> The DMCA ( HR2281 section 512(c)(3)(A) ) sets out a description
> of the elements of a copyright complaint.
> The sub-paragraph that follows (  HR2281 section 512(c)(3)(B)(ii) )
> explains how to proceed if the signature is missing.  What it
> says is that we should complain back to the writer of the
> original message if we have a problem with the signature.
> If we don't complain, we can't use that later when we need
> the safe harbor immunity afforded to service providers.
> Said another way, if there's a problem with the signature,
> our options are to:
>    ask for a good signature
>   --or--
>    accept the defective signature as valid
> We cannot discard the complaining notice and still maintain
> immunity from liability under Section 512.
> There is some legal danger for the University for acting on
> unsigned complaints.  If we were to harm an innocent user,
> the signed complaint upon which we acted would transfer the
> liability to the author of the complaining email.  But if the
> email is not signed, we are taking the risk for the presumed
> author of the document.  That does not seem wise.
> I think that what we should do when we receive an unsigned
> notice is (1) reply back that the document does not have
> an electronic signature and we need one if we're to act,
> and (2) notify the user that a complaint has been received.
> We should not "take down" or block users or their content
> without a signed complaint.
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list