Higher Education and the DMCA

Cotropia Gibson Publication Version PDF

By: Christopher A. Cotropia & James Gibson*


Cite as: Christopher A. Cotropia & James Gibson, Higher Education and the DMCA, 25 Rich. J.L. & Tech., no. 2, 2018.



The nearly twenty-year history of the Digital Millennium Copyright Act’s safe harbor provisions has been marked by criticism from content owners, online service providers, and end users. Content owners complain about the cost of monitoring online content and sending takedown notices. Online service providers complain about the cost of receiving and processing the notices. And end users complain about their legitimate use of copyrighted works being subject to DMCA takedown. Colleges and universities have been at the forefront of this controversy; as providers of online services to their students, they have been a focus of both Congress and copyright owners.  Higher education therefore provides a fitting case study of the effect of the safe harbor provisions, and particularly the nature, volume, and cost of the notice-and-takedown system. 

This Article presents the results of a survey of colleges and universities regarding their copyright and DMCA practices. The results expose infirmities in the administration of the DMCA system, both within the world of higher education and within the U.S. Copyright Office. Additionally, the results suggest that colleges and universities need to take better advantage of the safe harbors and correct certain fundamental misunderstandings of important and essential aspects of the DMCA.


I. Introduction

[1]     As access to the Internet became more widespread in the early 1990s, questions arose as to the legal liability of online access providers whose customers used that access to infringe copyright. For example, early cases such as Playboy Enterprises v. Frena[1] and Religious Technology Center v. Netcom On-Line Communication Services[2] examined whether the operators of electronic bulletin board services were liable under copyright law when their subscribers posted infringing material on the bulletin boards.

[2]     The need for nationwide uniformity on this issue, combined with the failure of courts to coalesce around a single liability standard, eventually led Congress to enact Title II of the 1998 Digital Millennium Copyright Act of 1998 (the DMCA).[3] Title II of the DMCA established four “safe harbors,” codified in 17 U.S.C. § 512—four categories of conduct for which online service providers (OSPs) are not held liable for infringement damages.[4] The covered conduct includes routing or acting as a conduit for Transitory Communications,[5] making local Cache Copies,[6] offering online System Storage locations where information can reside (e.g., websites),[7] and providing Information Location services (e.g., search engines).[8]

[3]     The most well-known and controversial aspect of the DMCA’s safe harbor system involves what is known as “notice and takedown.” In order to qualify for three of the four safe harbors, an OSP must designate an agent to receive notices from copyright owners regarding alleged infringement taking place using the OSP’s system.[9] When the agent receives a compliant notice, the OSP must act expeditiously to remove access to the allegedly infringing material. Otherwise, it loses the protection of the safe harbor.[10]

[4]     In the nearly twenty years since the DMCA was enacted, the notice-and-takedown system has been marked by criticism from content owners, online providers, and end users. Content owners complain about cost of monitoring online content and sending takedown notices.[11] Online service providers complain about the cost of receiving and responding to the notices.[12] And end users complain about legitimate use of copyrighted works being subject to DMCA takedown.[13]

[5]     Criticism of the DMCA’s notice-and-takedown system has had particular resonance among institutions of higher education. Colleges and universities, along with other educational institutions, have long occupied a unique place in copyright law. The Copyright Act contains many provisions that recognize the role that educational values play in encouraging the creation and dissemination of creative works.[14] Even the DMCA itself relieves institutions of higher education of liability for certain infringing activities in which their students and faculty engage.[15]

[6]     The core of the notice-and-takedown system, however, applies to colleges and universities in the same way that it applies to other OSPs. This is the case despite the fact that colleges and universities are situated somewhat differently. Like other OSPs, they often provide Internet access and storage. But unlike other OSPs, their users are not customers culled from the marketplace or random, unconnected users; instead, most of their users are students to whom the institution is arguably in loco parentis, such that it might exercise more authority over their conduct and treat encounters with copyright law as teaching moments.[16]

[7]     Colleges and universities accordingly have unique responsibilities toward those who use their networks to infringe copyright, over and above the responsibilities that the DMCA imposes on all OSPs. These extra responsibilities emerge from the institutions’ core educational mission, which presumably includes using encounters with the legal system as teaching moments. These institutions would want to ensure that their response to notices is consistent with their broader mission of education and knowledge creation. Extra responsibilities are also imposed from outside the institutions, most notably in the 2008 Higher Education Opportunity Act, which requires colleges and universities (1) to annually disclose to students the criminal and civil penalties that attach to copyright infringement and the steps that the institution takes to address infringement,[17] (2) to use technology-based deterrents to combat copyright infringement, and (3) to explore lawful alternatives to illegal file-sharing.[18]

[8]     Against this backdrop of regulation, colleges and universities must design and implement policies to deal with DMCA takedown notices while remaining faithful to their other responsibilities, both legal and educational. To date, there has been no empirical study of how colleges and universities have navigated this task. There have been some broader empirical studies of DMCA notice-and-takedown—examples include Urban and Quilter,[19] Seng,[20] and Urban, Karaganis, and Schofield.[21]—but none of them focused on the challenges of the higher education environment.

[9]     This Article fills that gap by disclosing the results of a two-stage empirical study.[22] The study first gathers and analyzes U.S. Copyright Office data to show that a high number of institutions of higher education have failed to take advantage of the DMCA’s safe harbors at all.[23] It then reports on a survey of those institutions that have availed themselves of the DMCA’s protections—a survey that reveals fundamental misunderstandings of important and essential aspects of the DMCA. We conclude with observations about the likely reasons for the study’s surprising findings and with recommendations for ways to improve the administration of the DMCA system, not only within higher education, but also within the U.S. Copyright Office and within the world of service providers more broadly.

II.  Study Design

A. Higher Education’s DMCA Agents

[10]     In order to comprehensively study higher education’s use of the DMCA’s protections, we first had to define the universe of higher education. To do so, we collected a list of all four-year colleges and universities in the United States, using U.S. News & World Report as our source. This list totaled 1,337 schools. For each school, we identified its precise location (city and state), its general geographic region (Northeast, Midwest, South, and West),[24] its ranking on U.S. News’s 2017 National Liberal Arts or National University college lists (as a rough proxy for prestige of the institution), the total student population of the school,[25] and whether the school is public or private.

[11]     We then determined whether each school had registered an agent for receipt of DMCA notices. To do so, we consulted the U.S. Copyright Office’s directory for such agents (found at http://www.copyright.gov/onlinesp/list), which is searchable alphabetically by name of the OSP. If we were able to find a registered agent for a school, we recorded the agent’s email address and whether the agent’s listed title fell within one of the following categories: Library, Information Services, General Counsel, Administrator, or Other. (We also took note of those schools that did not have a designated agent filed with the Copyright Office. As we will see, this data point was one of the most revealing and surprising in the entire study.)[26]

[12]     The resulting list of DMCA agents all received our survey. Because the survey was asking questions relevant to the DMCA, we made the assumption that such agents were likely to be knowledgeable, or to know who at the institution was knowledgeable, about the school’s interaction with the DMCA safe harbor provisions and its corresponding copyright policies.

B. Design of Survey Instrument

[13]     We then created a survey instrument, totaling at most twelve questions,[27] to send to the collected DMCA agent email addresses. The survey, which is reproduced in full in Appendix A to this paper, asks three general sets of questions.

[14]     The first section, after asking the participant to identify the part of the institution in which he or she works, focuses on the institution’s handling of notices alleging use of its network, by students or employees, to infringe copyrights. Specifically, participants were asked about the number of such notices per year (if any), the number of individuals at the institution that are involved in handling these notices, and the amount of time spent handling each notice. There were four questions in this section.

[15]     The second section explored the participant’s understanding of an institution’s legal obligations under copyright law. Three scenarios, presented in random order, posed scenarios that corresponded to three of the four safe harbors under 17 U.S.C. § 512. The survey presented a Transitory Communications scenario under section 512(a) (downloading infringing copies via the school’s network), a System Storage scenario under section 512(c) (storing infringing copies on the school’s network), and an Information Location scenario under section 512(d) (using the school’s network to help others find infringing copies).[28] For each scenario, we asked whether the participant would think he or she would have had a legal obligation to take action. For those participants who had earlier indicated that they had received DMCA notices, we also asked what percentage of those notices corresponded to each scenario. This section comprised three to six questions.

[16]     The third section of the survey asked some broader questions about each institution’s response to copyright infringement and the reasons behind the response. We asked which technology-based deterrents (if any) the institution had adopted to inhibit or prohibit use of its network to infringe copyrights. We also asked each institution to rank in order of importance the factors that motivated its response to notices of copyright infringement—e.g., limiting legal liability, educating students, and facilitating the free flow of ideas and information. This section included two questions.

[17]     The survey concluded with an open-ended request for additional thoughts and invited participants to indicate whether they were willing to be interviewed further.

C. Survey Implementation

[18]     We tested initial drafts of the survey on various higher education administrators that have been involved with copyright law compliance and the handling of DMCA notices. These individuals included experts in information technology, university librarians, and university general counsels. We received feedback on our initial drafts and made necessary modifications to improve the instrument. We also applied for and received approval from our university’s Institutional Review Board.

[19]     We then sent a link to the survey to the email address for each registered DMCA agent. We used Qualtrics to distribute the survey and track responses. The distributed links were unique for each institution, allowing us to associate the information we collected earlier (e.g., size and location of school) with each response. The email noted that the responses were completely confidential and would be anonymized and aggregated with the responses of others. The email also invited participants to feel free to forward the survey to those who may be more knowledgeable about their institution’s copyright practices. We also suggested that participants refer to whatever personnel or materials at their institution would help them answer the survey’s questions.

[20]     We followed up this initial email with two reminder emails, spaced roughly one month apart, in order to maximize participation.

III.  Results

A. Registration Information

[21]     At the outset of our research, we discovered that over half of all four-year colleges and universities do not have a registered DMCA agent. We identified a total of 1,377 such institutions nationwide, of which 697 (50.62%) had no registered agent with the Copyright Office. Of the remaining 680 (49.38%) that did register agents, our survey email bounced back in 89 (13.09%) cases. This meant that of the 1,377 colleges, 786 (57.08%) either did not have a registered agent or the registered email was no longer working.

[22]     We then looked at the DMCA agent registration data more closely. First, we classified the data based on whether the college was public or private. As seen in Figure 1, a greater percentage of public colleges had registered their agents than private colleges.


[23]     We also compared the registration data to the institution’s student population, with results reported in Figure 2. Notably, larger institutions are more likely to have registered a DMCA agent—except for the largest institutions (those with 15,000 students or more).

[24]     We then examined whether institutions ranked high by U.S. News & World Report (U.S. News) were more likely to register a DMCA agent. We identified the institutions that U.S. News ranked in the top 50 on either its National Universities list or Liberal Arts Universities list. Out of those 100 institutions, only 9 (9%) failed to register a DMCA agent. Of the 91 registered, 14 (15.38%) listed email addresses that bounced. This compares to 688 (53.88%) of the other 1,277 institutions that failed to register and 75 (12.73%) of those registered whose email addresses bounced.

[25]     From the registrations, we were also able to observe the title of the identified agent. The data is reproduced in Figure 3, with a majority (59.11%, 402) in information services.

B. Information from Survey

[26]     The following discussion summarizes the survey results. Note that we have made the raw, anonymized data from the survey available online at copyrightlawdata.com.

1. Response Rate and Respondent Descriptives

[27]     As previously mentioned, 680 colleges and universities had registered DMCA agents. In a few instances, usually involving large public institutions with several campuses, multiple institutions used the same, single agent registration. In those instances, we sent a single survey to the relevant email address. This meant that we sent out a total of 634 survey requests for the 680 registered institutions.

[28]     Of these 634 survey requests, 92 emails bounced (as discussed above) and 8 opted out of the survey,[29] for a total of 15.77% (100) that were unable to take the survey. Of the remaining 534 that received the email, 14.42% (77) fully completed the survey, and 16 more completed part of it. Of those 16, three provided an answer beyond the first question, which asked the participant to identify his or her position within the institution. Thus, 14.98% (80 of the 534) who received emails participated in the survey in a meaningful way. Two of those who responded were agents for more than one related institution; we coded those as a single response, combining the enrollment numbers for the related institutions.

[29]     Of the respondents, 51.25% (41) were from private schools and 48.75% (39) were from public. The student population of the responding institutions varied:

  • 5% (2) had fewer than 1,000 students;
  • 75% (35) had between 1,001 and 5,000 students;
  • 25% (13) had between 5,001 and 10,000 students;
  • 5% (4) had between 10,001 and 15,000 students; and
  • 5% (26) institutions had more than 15,000 students.

Notably, this distribution of characteristics amongst our respondents is both varied and mimics the distribution in the complete set of schools investigated.

[30]     Many of the respondents (70%, 56), were housed in the information technology department of their institution. The next largest category was library (15%, 12), with three in the legal/general counsel’s office and three in student affairs.[30]

2. Data on DMCA Notices and Response Structure

[31]     The approximate number of DMCA notices received per year varied greatly, from a low of zero to a high of 2,000, with a mean of 200.79.[31] The basic statistics are reported in Table 1 below, which both provides the raw numbers and then puts them in perspective by showing the number of notices per enrolled student.

Table 1: Volume of DMCA Notices (n = 79)


Median Mean Standard Deviation Min Max
Notices/Year 30 200.79 329.35 0 2000
Notices/Year/Student 0.0128 0.02 0.04 0 0.32

[32]     The distribution of notices, and notices per student, is skewed to the right, with 72.5% (58) schools clustering between zero to 270 notices (Figure 4) and 78.75% (63) schools clustering between zero and 0.034 notices per student (Figure 5).

[33]     Public schools received, on average, more notices (283.34 mean) than private schools (122.38 mean). However, this may be a function of a higher student population in public schools, as both categories received a similar number of notices per student: public schools received an average of 0.0215 notices per student, compared to 0.0238 for private schools.

[34]     Regarding the number of people within the institution involved in handling responses to DMCA notices, we again saw a wide variance. Table 2 sets forth both the basic statistics and the per-enrolled-student breakdown, and Figure 6 shows once again a distribution skewed to the right, with 38.88% (31) schools clustering between 1 and 2 individuals and 92.5% (74) schools having 5 or less.[32]

Table 2: Number of Individuals Involved in DMCA Response

(n = 79)

Median Mean Std. Dev. Min Max
No. Individuals 3 3.43 3.98 1 35
No. Individuals

per Student

0.0005 0.00083 0.001 0.00006 0.00534

[35]     Regarding the amount of time spent on each notice, institutional responses again varied.  Table 3 shows the median, mean, and standard deviation for the response time, and Figure 7 shows a skewed-to-right clustering of 65% (52) schools between zero and 1 hours.[33]

Table 3: Hours Spent per DMCA Response (n = 78)


Median Mean Std. Dev. Min Max
Hours/notice 1 2.06 7.07 0 62.4

[36]     We also multiplied the average number of hours per notice by the number of notices institutions averaged per year. This data is reported in Table 4 below. 62% (50) of the institutions reporting spending 50 hours or less a year handling DMCA notices. Notably, 12.5% (10) of the institutions spent 500 or more hours a year on DMCA notices, with 5 institutions spending 1,000 hours or more a year.

Table 4: Total Hours Spent per Year on DMCA Response (n = 78)


Median Mean Std. Dev. Min Max
Total Hours 30 658.81 4296.85 0 37252.8

3.  Participant Views on Legal Obligations

[37]     The three hypothetical scenarios tested the participants’ understanding of whether they had a legal obligation to take any action in response to a notice from a copyright owner. Scenario 1 hypothesized a student’s use of the school’s network to illegally download copyrighted material onto the student’s own laptop computer—a situation that falls within the Transitory Communications safe harbor of 17 U.S.C. § 512(a). Scenario 2 hypothesized a student’s use of the school’s network to illegally store copyrighted material, such as on a website that resides on the school’s servers—a situation that falls within the System Storage safe harbor of 17 U.S.C. § 512(c). And Scenario 3 hypothesized a student’s use of the school’s network to help others find infringing materials, as by maintaining a website with hyperlinks to copyrighted material for illegal download—a situation that falls within the Information Location safe harbor of 17 U.S.C. § 512(d).

[38]     As Table 5 shows, Scenario 1 garnered the most Yes answers and Scenario 3 the least, but a strong majority of participants thought that they had a legal obligation to take action in all three.

Table 5: Participant Views on Legal Obligations


Yes No n
Scenario 1 — 17 U.S.C. § 512(a)

(Transitory Communications)





Scenario 2 — 17 U.S.C. § 512(c)

(System Storage)





Scenario 3 — 17 U.S.C. § 512(d)

(Information Location)






[39]     Similarly, participants reported that Scenario 1 occurred most often at their institutions, with Scenario 3 occurring the least (Table 6). But here the difference between the scenarios was much more marked, with Scenario 1 accounting for two thirds of notices received, on average, versus single-digit percentages for the other two scenarios.[34]

Table 6: Occurrence of Scenarios (n = 64)


Median Mean Std. Dev.
Scenario 1 — 17 U.S.C. § 512(a)

(Transitory Communications)

97.50% 67.64% 30.85
Scenario 2 — 17 U.S.C. § 512(c)

(System Storage)

0.00% 4.02% 13.29
Scenario 3 — 17 U.S.C. § 512(d)

(Information Location)

0.00% 3.19% 15.94

4.  Responses to Copyright Infringement

[40]     Participants in the survey largely reported that their institutions used technology-based deterrents to inhibit the use of their institutions’ networks to infringe copyright. As Table 7 shows, a wide variety of such deterrents are used, and almost all respondent schools reported using at least one.

Table 7: Use of Technology-Based Deterrents (n = 72)


Schools Using Deterrent
User network registration/login 75.00% (54)
Port banning/firewalls 56.94% (41)
Traffic/packet shaping 54.17% (39)
Bandwidth throttling 41.67% (30)
Traffic monitoring 36.11% (26)
Other 8.33% (6)
None 5.56% (4)

In addition, a number of participants commented that use of technology-based deterrents (particularly port banning and packet shaping) had reduced the incidence of DMCA notices.

[41]     Most schools used at least two different technological-based deterrents, with over half of the schools using three or more different technological measures. The distribution of the number of different technological-based deterrents used is shown below in Figure 8.

[42]     Finally, participants were asked to provide information on the motivations for their schools’ handling of copyright notices. A list of five possible motivations was offered, plus a sixth “Other” category. The participants were asked to rank them in order of importance (with 1 being the most important) and were allowed not to rank a factor if it was not in fact a motivation. Table 8 shows the results.

Table 8: Motivations for Policy on Copyright Notices


Importance of Motivation

(scale of 1 to 6)

Limiting the institution’s

exposure to legal liability

2.10 67
Educating students 2.45 62
Facilitating the free flow

of ideas and information

3.25 55
Limiting demands on the institution’s information technology resources 3.53 60
Disciplining students 4.31 61
Other 3.25 4

IV. Discussion and Recommendations

A. Agent Registration Issues

[43]     The study initially revealed how many institutions of higher education have not registered a DMCA agent, and thus are not protected by three of the four section 512 safe harbors.[35] Of the 1,377 institutions studied, more than half had no DMCA agent registration (50.62% unregistered). This percentage of unregistered schools was higher for private institutions (59.8% unregistered), which suggests that the explanation is not the sovereign immunity that public institutions enjoy in copyright suits.[36] It was also high for both the smallest, institutions with less than 1,000 students (75.26% unregistered), and, perhaps surprisingly, the largest institutions—those with 15,000 or more students (42.34% unregistered). Maybe these unregistered institutions are not providing any online services to their students and employees, and thus do not need the protection of the relevant safe harbors, but that is highly unlikely.

[44]     In addition, even for those schools that had registered, there is evidence that the registrations are not current. The Copyright Office regulations provide a mechanism for updating the DMCA agent registration information.[37] And to stay within the relevant safe harbors, the registration information must provide sufficient information so that the designated agent may be efficiently contacted.[38] However, of the 49.38% registered, 13.09% listed emails bounced back when sending the survey, meaning they were not correct or operational. We also received a few emails from the listed DMCA agents indicating that the emailed individual no longer worked on the identified institution. There is also reason to believe that a portion—perhaps a significant portion—of those who did not even click the survey link failed to do so because the registered email address was not operational.[39]

[45]     Finally, when collecting the DMCA agent information, we encountered many barriers to obtaining the listings. Whether an OSP has registered was not universally searchable, only searchable within the alphabetical letter that begins the OSP’s name. In addition, the individual registrations were simply scans of the submitted paper registrations, without text recognition, which made the information in the forms not searchable. Additionally, individual registrations were hard to read—with many scans being blurry and some registrations being hand-written and illegible. If we encountered these problems in gathering the data for our survey, it is safe to assume that those who used the system for its intended purpose encountered them as well.

[46]     In sum, these data and observations confirm earlier U.S. Copyright Office findings[40] that the DMCA agent registration system is simply underused and, when used, is not adequately accessible or up to date. When more than half of four-year institutions lack a registered agent with a functioning email address, that hurts both schools and copyright owners: in the absence of an agent, the former cannot receive the benefit of three of the four safe harbors, and the latter are denied a streamlined way to initiate a takedown when they see their content being hosted or linked on a school’s network.

[47]     Some of these infirmities in agent registration have their root in the fact that when we conducted the study, the Copyright Office was still operating under interim regulations to govern the DMCA agent registration process.[41] The interim regulations were published in 1998 with the intent to ultimately replace them with permanent regulations,[42] but instead they remained active for almost two decades. Finally, in late 2016, the Copyright Office implemented a new agent registration system, requiring OSPs to comply with it by the end of 2017.[43]

[48]     The new system should solve a few of the problems our study revealed. Going forward, registrations will be universally searchable, and the results of the search will no longer be in the form of scanned, handwritten PDFs.[44] The routine identification of registered DMCA agents should accordingly be less costly.

[49]     But the new system does nothing about the marked absence of registrations in the first place. Registering an agent has always been easy; indeed, if anything, it was easier under the old interim guidelines, under which a registration was perpetual; in contrast, the new system requires each OSP to renew its registration every three years.[45] The disappearance of the interim guidelines will do nothing to increase registration by the half of higher education institutions who currently lack an agent.

[50]     The explanation for the absence of registrations is unknown. One possibility, which we plan to explore in further research, is that the unregistered schools are acting rationally—i.e., that the benefits of the DMCA are not worth the costs.[46] We urge the Copyright Office and other scholars to research the issue as well. In addition, the Copyright Office should consider launching an affirmative educational program regarding the DMCA safe harbors, aimed at institutions of higher education. Such institutions have understandably been in the copyright crosshairs of both Congress and the owners of copyrighted works. Their failure to take even the first step toward complying with the statute that governs their conduct merits further inquiry.

B. Distinguishing the Safe Harbors

[51]     The most revealing part of the survey results is the response to the three scenarios, and in particular Scenario1. That scenario read as follows:

If you were to receive a notice alleging the following scenario, would you think you had a legal obligation to take action?

A student or employee is using the institution’s network to download material that infringes copyright from the Internet to his or her own computer (or to upload such material from his or her own computer).

Example: A student uses a file-sharing program to download a song from a third-party website to her laptop, using your institution’s Internet connection.

Because the institution’s network is merely acting as a conduit, and the infringing copy resides on the student’s own computer, this scenario clearly falls within the Transitory Communications safe harbor of 17 U.S.C. § 512(a). It does not implicate the System Storage safe harbor of 17 U.S.C. § 512(c) because the infringing material does not reside on a system controlled by the institution; it only passes through.[47]

[52]     The distinction between the Transitory Communications safe harbor and the System Storage safe harbor is important—because of the two, only the latter requires that schools implement a notice-and-takedown procedure. In other words, an OSP is insulated from liability for providing network connectivity regardless of whether it responds to notices or even designates a DMCA agent at all. Yet 91.89% of survey participants reported having “a legal obligation to take action” if notified of the situation described in Scenario 1. (See Table 5.) That figure far exceeds the percentage who reported having a legal obligation to take action when presented with a System Storage situation in Scenario 2 (76.71%) or an Information Location situation in Scenario 3 (62.16%)—both of which actually require notice-and-takedown as part of the safe harbor.

[53]     On average, Scenario 1 situations accounted for 67.64% of notices that schools received (see Table 6), so this misunderstanding has significant consequences. Moreover, schools reported that “limiting the institution’s exposure to legal liability” was the most important aggregate motivation for their DMCA policies (see Table 8), so a proper understanding of the law is important.

[54]     Might there be other explanations for these results, aside from a misunderstanding of the safe-harbor structure? Possible, but unlikely. Consider the alternative explanations:

  • “Legal obligation.”We asked schools about whether they had a “legal obligation” to take action. To be precise, section 512 imposes no affirmative obligation; its safe harbors merely give OSPs a legal defense that they would not otherwise have.[48] To the extent that participants made this distinction, however, they would have answered No, not Yes, to Scenario 1—which means that a more accurate phrasing would have resulted in a figure even higher than 91.89%.
  • “Take action.” Another potential phrasing issue involves the term “take action” in our scenario questions. Some schools might have interpreted the phrase broadly. For example, section 512(i) requires OSPs to implement a policy of terminating users who repeatedly infringe copyright; arguably, this includes keeping a tally of those users who infringe using the network as a conduit, which could be seen as “taking action.” If that is the case, a Yes answer to Scenario 1 would not necessarily imply a misunderstanding of the law. That possibility is fairly attenuated, however, and would probably reduce the 91.89% figure by only a small amount.
  • Combination of safe harbors. It some instances, a user might use both connectivity and network storage space, as when an employee downloads infringing content to a university server. In that case, both the Transitory Communications and the System Storage safe harbors would apply. That possibility might cast some doubt on our measurement of the volume of notices represented by each scenario (see Table 6), to the extent that participants thought that each notice had to be classified under a single scenario.[49]But the individual scenarios did not present facts consistent with multiple safe harbors, so this possibility should not have affected their understanding of the safe harbors themselves.
  • Voluntary student discipline. Schools may be aware that they can stay within the Transitory Communications safe harbor without implementing notice-and-takedown, but they respond to such notices anyway because they want to discipline students who infringe. If so, it would be odd to report that they had a “legal obligation” to respond—and student discipline ranks last on the list of institutions’ motivations (see Table 8).
  • Selection bias. Those schools that chose to participate in the survey might not be representative of all schools since the survey was sent to only those schools with designated agents. However, the response within this cohort was necessarily random. Also, if selection bias were present, it would not explain the problem away, but merely reduce its scale.

[55]     In the end, then, our survey results provide strong evidence that institutions of higher learning are overcomplying with regard to Transitory Communications, but arguably undercomplying with regard to System Storage and Information Location. Motivated more by a fear of legal liability than by any educational or disciplinary goal, schools consistently respond to the most frequent category of notices that copyright owners send—even though doing so has no effect on their legal liability.

[56]     As with agent registration, this finding calls for both more investigation and more education. Even those colleges and universities who register an agent nonetheless mismanage some of the most important and most frequent interactions with the safe harbor system. And there is no reason to assume that these issues are limited to OSPs in higher education. The largest and most successful online platforms, such as YouTube and Facebook, undoubtedly have a deep and accurate understanding of the workings of the DMCA. But there are thousands of other providers of online services who are of the same size and sophistication as colleges and universities. Discovering whether they exhibit similar tendencies and interrogating the underlying (mis)understandings of the law should contribute to the improved administration of copyright law in the online world.

V.  Conclusion

[57]     For more than two decades, a battle has been fought over the rights and responsibilities of those whose online services involve copyrighted materials. In many ways, higher education represents the crucible of this conflict. Yet the data demonstrates that the statute Congress enacted to mediate the conflict is going unused by institutions of higher education—and, when it is used, is it is being used poorly. These findings suggest there is more research, education, and reform to be done both within higher education and beyond before the conflict has any hope of a sensible resolution.


Appendix: Survey Instrument[50]


Q1. Which of the following most closely describes the part of your institution in which you work?

  • Information Technology (1)
  • Legal / General Counsel’s Office (2)
  • Student Affairs (3)
  • Library (4)
  • Other: (5) ____________________




Q2. As you know, copyright owners and their agents sometimes send notices to institutions of higher learning, claiming that students or employees are using the institutions’ networks to infringe copyright. Such notices often include requests for the institution to take some action with regard to the alleged infringement. Approximately how many such notices per year does your institution typically receive? Please use the last five years as a reference.


[If answer to Q2 is zero, skip to Q5.]




Q3. Institutions of higher learning respond to these notices in a variety of ways, including verifying the claim, corresponding with the claimant, taking down copyrighted materials, interacting with students and employees, and so forth. How many different individuals at your institution are routinely involved in such responses?




Q4. On average, how much total time do you and others at your institution spend on such responses? (Please indicate average number of hours per notice. For fractions of an hour, use decimals—e.g., 0.5.)


You will now be presented with three scenarios involving such notices. Feel free to use the buttons at the bottom of the page to navigate among the scenarios until you are satisfied with your answers.[51]




Q5. If you were to receive a notice alleging the following scenario, would you think you had a legal obligation to take action?


Scenario: A student or employee is using the institution’s network to download material that infringes copyright from the Internet to his or her own computer (or to upload such material from his or her own computer).


Example: A student uses a file-sharing program to download a song from a third-party website to her laptop, using your institution’s Internet connection.

  • Yes (1)
  • No (2)


[If answer to Q5 is zero, skip to Q7.]




Q6. Of the notices that you receive, approximately what percentage allege conduct like that in the foregoing scenario?





Q7. If you were to receive a notice alleging the following scenario, would you think you had a legal obligation to take action?


Scenario: A student or employee is storing material that infringes copyright on the institution’s network.


Example: A student is allocated a certain amount of storage space on a server controlled by your institution, and he uses it to store movie files.

  • Yes (1)
  • No (2)


[If answer to Q7 is zero, skip to Q9.]




Q8. Of the notices that you receive, approximately what percentage allege conduct like that in the foregoing scenario?




Q9. If you were to receive a notice alleging the following scenario, would you think you had a legal obligation to take action?


Scenario: A student or employee is using the institution’s network to help others find material that infringes copyright.


Example: A student is allowed to maintain a website or blog on a server controlled by your institution, and she uses it to maintain a list of hyperlinks to copyrighted material for illegal download.

  • Yes (1)
  • No (2)


[If answer to Q9 is zero, skip to Q11.]




Q10. Of the notices that you receive, approximately what percentage allege conduct like that in the foregoing scenario?




Q11. Have you used any of the following technology-based deterrents to inhibit or prevent the sort of scenarios listed above? (Choose all that apply, including those used in the past. Feel free to ask others at your institution if you need to.)

  • Port banning/firewalls (1)
  • Bandwidth throttling (3)
  • Traffic/packet shaping (4)
  • Traffic monitoring (5)
  • User network registration/login (9)
  • Other: (6) ____________________
  • We have not used any technology-based deterrents. (11)




Q12. An institution’s policy regarding copyright notices may be motivated by a number of different factors. The following list contains examples of such factors. Please rank the factors according to their importance to your institution (with 1 being most important) to the best of your knowledge. If a factor is not at all important to your institution, do not rank it.

  • Limiting the institution’s exposure to legal liability. (1)
  • Limiting demands on the institution’s information technology resources. (2)
  • Educating students. (3)
  • Disciplining students. (4)
  • Facilitating the free flow of ideas and information. (5)
  • Other: (6)




Q13. If you have any other thoughts or information to share on these matters, please use the following space to provide them.




Q14. If you are willing to participate in a follow-up interview, please enter your email address below.


This marks the end of the survey. Please use the back button below if you need to revisit your answers to any of the questions. If you are finished, please use the forward button to complete the survey. Once you hit the forward button, you will not be able to change any of your previous answers.



*The authors are Professors of Law at the University of Richmond School of Law, where Professor Cotropia is also Director of the Intellectual Property Institute. They would like to thank the many individuals who helped with this study: Paul Birch, Kenny Crews, Linda Fairtile, Casey Fiesler, Lolly Gasaway, Deborah Gerhardt, Corinna Lain, Lucretia McCulley, Shannon Sinclair, Roger Skalbeck, Brad Stringfellow, Scott Tilghman, and Rob Tyler. We are also grateful to the Chicago-Kent Center for Empirical Studies for providing a grant in support of the study.

[1] See Playboy Enter., Inc. v. Frena, 839 F. Supp. 1552, 1554 (M.D. Fla. 1993).

[2] See Religious Tech. Cent. v. Netcom On-Line Commc’n Serv., Inc., 907 F. Supp. 1361, 1365 (N.D. Cal. 1995).

[3] The official name of Title II was the Online Copyright Infringement Liability Limitation Act. In practice, however, its provisions are usually referred to as the DMCA—notwithstanding that the DMCA contained four other titles unrelated to liability of online service providers. See U.S. Copyright Office, Summary of the Digital Millennium Copy Right Act of 1998 (1998), https://www.copyright.gov/legislation/dmca.pdf [https://perma.cc/8SHW-GPU2].

[4] See Digital Millennium Copyright Act, Pub. L. No. 105-304, § 202, 112 Stat. 2860, 2877–81 (1998) (codified at 17 U.S.C. § 512 (2012)) (describing the safe harbor requirements for transmission, caching, storage, and information location tools). To qualify for any of the safe harbors, an OSP would have conform to various related requirements. See id. For example, the OSP must adopt, reasonably implement, and publicize a policy that provides for the termination of subscribers and account holders who repeatedly infringe copyright. See Digital Millennium Copyright Act, 17 U.S.C. § 512(i)(1)(A) (2012).

[5] See 17 U.S.C. § 512(a).

[6] See id. § 512(b).

[7] See id. § 512(c).

[8] See id. § 512(d).

[9] The lone exception is the Transitory Communications safe harbor in 17 U.S.C. § 512(a) (2010). The System Storage safe harbor explicitly requires agent registration. See id. § 512(c)(2). The other two safe harbors implicitly require it by incorporating a notice-and-takedown process similar to that found in section 512(c). See id. § 512(b)(2)(E), 512(d)(3). And it is clear that without timely registration of an agent, the protections are unavailable. See BWP Media USA, Inc. v. Hollywood Fan Sites, L.L.C., 115 F. Supp. 3d 397, 400 (S.D.N.Y. 2015) (“A service provider cannot retroactively qualify for the safe harbor for infringements occurring before the proper designation of an agent under the statute.”); CoStar Grp., Inc. v. LoopNet, Inc., 164 F. Supp. 2d 688, 697 n.4 (D. Md. 2001) (holding that the section 512(c) safe harbor is only available to an OSP after it designates a DMCA agent), aff’d, 373 F.3d 544 (4th Cir. 2004); Oppenheimer v. Allvoices, Inc., No. C 14-00499 LB, 2014 WL 2604033, at *5 (N.D. Cal. June 10, 2014) (holding that an OSP “may not invoke the safe harbor found in Section 512(c)(1) with respect to infringing conduct that occurred prior to [its] designating a DMCA-related agent with the Copyright Office”).

[10] See 17 U.S.C. § 512(c)(1)(C) (2018); see also id. § 512(d)(3). Note that losing the protection of the safe harbor simply means the loss of an otherwise available defense against an infringement claim. It does not necessarily mean that the OSP is liable; the rightsholder would still have to prove its case in court.

[11] See, e.g., Music Community Written Submission Regarding Development of the Joint Strategic Plan on Intellectual Property Enforcement, in response to Request of the U.S. Intellectual Property Enforcement Coordinator for Public Comments, 80 Fed. Reg. 52800 (Oct. 15, 2015), App. C, at 1–2, http://www.riaa.com/wp-content/uploads/2016/03/Music-Community-Submission-in-re-DMCA-512-FINAL-7559445.pdf [https://perma.cc/3K8U-UGKY] (referring to “unprecedented burden” of takedown system and “mismatch between the amount of infringement and the burden of enforcement”).

[12]See, e.g., Jennifer M. Urban & Laura Quilter, Efficient Process or Chilling Effects – Takedown Notices Under Section 512 of the Digital Millennium Copyright Act, 22 Santa Clara High Tech. L.J. 621, 684 (2006) (reporting on high cost of compliance for large ISPs).

[13] See id. at 666–78 (detailing flaws in notices).

[14] See, e.g., 17 U.S.C. § 107 (2012) (giving teaching and research special status in fair use inquiry); id. § 110(2) (exempting nonprofit educational institutions from certain forms of liability); id. § 112(f) (exempting the use of copies or phonorecords of work that is in digital form for nonprofit educational institutions).

[15] See id. § 512(e) (including public institutions).

[16] For an explanation and historical examination of the in loco parentis concept, see Philip Lee, The Curious Life of In Loco Parentis in American Universities, 8 Higher Educ. in Rev.65 (2011).

[17] See 20 U.S.C. § 1092(a)(1)(P) (2018).

[18]See id. § 1094(a)(29). See infra Part III.B.4 & Table 7 (reporting on use of such specific technology-based deterrents as firewalls, bandwidth-throttling, and blacklists).

[19] See generally Urban & Quilter, supra note 12 (discussing the takedown of material posted online after a copyright-holder provides notice).

[20] See generally Daniel Seng, The State of the Discordant Union: An Empirical Analysis of DMCA Takedown Notices, 18 Va. J.L. & Tech. 369 (2014) (investigating the takedown process).

[21] See Jennifer M. Urban, Joe Karaganis & Brianna L. Schofield, Notice and Takedown in Everyday Practice3 (2016); see also The Takedown Project, http://takedownproject.org [https://perma.cc/H3LM-HS2V] (collecting further data on notice-and-takedown and publicizing related research).

[22] Note that the study was originally undertaken and its results submitted in response to the Copyright Office’s call for commentary on the DMCA. See The Register’s Perspective on Copyright Review: Hearing Before the H. Comm. on the Judiciary, 114th Cong. 24 (Apr. 29, 2015) (statement of Maria A. Pallante, U.S. Register of Copyrights and Director of the U.S. Copyright Office).

[23] Notably, this study was conducted prior to the technical amendments to the U.S. Copyright Office’s regulations governing the submission of designated agent and service provider information to the Office. See Designation of Agent to Receive Notification of Claimed Infringement, 82 Fed. Reg. 21696 (May 10, 2017) (amending 37 C.F.R. §§ 201–202). More on this issue infra, Part III.A.

[24] For this metric, we used the Census Bureau’s regional designations. See Census Regions and Divisions of the United States, U.S. Census Bureau, https://www2.census.gov/geo/pdfs/maps-data/maps/reference/us_regdiv.pdf [https://perma.cc/QHU9-TPJV].

[25] See U.S. News & World Report Best Colleges Rankings, U.S. News & World Report(2018), https://www.usnews.com/best-colleges [https://perma.cc/WX9M-432H] (reporting each institution’s total enrollment).

[26] See Directory of Service Provider Agents for Notification of Claims of Infringement, Libr. of Congress, https://www.copyright.gov/onlinesp/list/ [https://perma.cc/NK5V-N5G8].To test the reliability of searching and finding these DMCA agent registrations, as well as our category codings, we both coded one hundred of the agent registrations and selected Cohen’s Kappa as the measure of intercoder agreement. See Mark A. Hall & Ronald F. Wright, Systematic Content Analysis of Judicial Opinions, 96 Calif. L. Rev.63, 113–14 (2008) (explaining that the best practice for measuring and quantifying the reliability of intercoder agreement is to use a coefficient such as Cohen’s Kappa, which measures the reliability of agreement between coders and controls for agreement that occurs purely by chance). Cohen’s Kappa ranges from 0 to 1, with numbers near 1 indicating a higher degree of reliability. See id.Our Cohen’s Kappa for the DMCA agent registration information for higher education institutions was 1, which equates to “perfect agreement.” Id.

[27] As one can see from the Appendix, infra, whether a participant was presented with a given question sometimes depended on how he or she answered an earlier question—but the maximum possible was twelve.

[28] We did not pose a scenario involving Cached Copies under the remaining safe harbor, section 512(b), since that conduct had not arisen as a concern of OSPs or copyright owners.

[29] Qualtrics gives potential participants the option to “opt-out” of the survey by clicking a link separate from the survey link. See Email Survey Invitations, Qualtrics (2018), https://www.qualtrics.com/support/survey-platform/distributions-module/email-distribution/emails-overview/#UsingTheOptOutLink [https://perma.cc/EYX7-JHVH] (providing instructions for participants in relation to email surveys). Eight schools did just that with our survey.

[30] Six were in “other.”

[31] The 2,000 figure was an outlier; the second-highest figure was 1,000.

[32] The highest number of individuals reported, 35, was an outlier; the second-highest figure was 10.

[33] The highest number of hours reported, 62.4, was an outlier; the second-highest figure was 8.

[34] Because the three scenarios did not necessarily capture all possible notices that schools might receive from copyright owners, and because a single notice might implicate more than one scenario, the survey instrument did not require the three percentages to total 100%. Note also that, although we call them Scenario 1, Scenario 2, and Scenario 3, the order in which they were presented was randomized for each survey participant.

[35] See, e.g., 17 U.S.C. § 512 (2012) (indicating that only the Transitory Communications safe harbor does not require registration of an agent).

[36] See Coyle v. Univ. of Kentucky, 2 F. Supp. 3d 1014, 1017 (E.D. Ky. 2014).

[37] See 37 C.F.R. § 201.38(f) (2015); see also 37 C.F.R. § 201.38(c)(3) (2018) (stating that the “name of the agent designated to receive notification of claimed infringement” must be identified). Note that the relevant regulation has been revised since the study was conducted, but both the original and the revision provide for updates to registration information.

[38] See, e.g., Disney Enters. v. Hotfile, No. 11-20427-CIV, 2013 U.S. Dist. WL 6336286, at *25 (S.D. Fla. Sept. 20, 2013).

[39] To minimize spam, many institutions do not bounce invalid email addresses, instead opting to silently drop the email message. Notably, this fact may indicate that the survey’s response rate is much higher, with many of the potential participants never getting the survey because the email address was no longer valid. See, e.g., Yuchun Tang et al., Support Vector Machines and Random Forests Modeling for Spam Senders Behavior Analysis, IEEE Xplore1, 4 (Dec. 8, 2008), https://ieeexplore.ieee.org/document/4698194/metrics#metrics [https://perma.cc/RV8A-E6S2] (noting the silently dropping email message method of quarantining potential “spam”).

[40] See Designation of Agent to Receive Notification of Claimed Infringement, 76 Fed. Reg. 59,953 (Sept. 28, 2011) (to be codified at 37 C.F.R. pt. 201) (noting that a “small random sampling of a portion of the current directory reveals that a number of existing designations are associated with businesses that have ceased operations”).

[41] See Designation of Agent to Receive Notification of Claimed Infringement, 63 Fed. Reg. 59,233 (Nov. 3, 1998) (to be codified at 37 C.F.R. pt. 201) (noting that these were interim regulations).

[42] See id.

[43] See Designation of Agent to Receive Notification of Claimed Infringement, 37 C.F.R. § 201.38 (2018).

[44] See United States Copyright Office, Search the DMCA Designated Agent Directory, https://dmca.copyright.gov/osp/ [https://perma.cc/22TC-LDZB].

[45] See 37 C.F.R. § 201.38(c)(4) (2017).

[46]See Christopher A. Cotropia & James Gibson, Convergence and Conflation in Online Copyright 36 (Aug. 16, 2018) (unpublished manuscript) (on file with authors), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3233113 [https://perma.cc/K4HN-T4CV].

[47] It is worth mentioning that several courts have drawn this exact distinction in cases involving institutions of higher learning that were accused of providing Internet connectivity (but not storage space) to infringers. The cases originated in a different DMCA provision, 17 U.S.C. § 512(h), which authorizes the issuance of subpoenas to OSPs that engaged in System Storage but not to those that engaged only in Transitory Communications. The courts accordingly addressed the very issue that Scenario 1 tested—i.e., which safe harbor applies to students who use a school’s network to download copyrighted content to (or upload copyrighted content from) their personal computers—and found that the answer was section 512(a). See, e.g., Recording Indus. Ass’n of Am. v. Univ. of N.C. at Chapel Hill, 367 F. Supp. 2d 945, 950 & n.4 (M.D. N.C. 2005) (distinguishing between giving students network storage space to maintain websites, which would implicate section 512(c), and providing students with “conduit” connectivity that they use to upload content from their personal computers to third parties on the Internet, which would implicate section 512(a)); Interscope Records v. Doe, 494 F. Supp. 2d 388, 389–91 (E.D. Va. 2007) (making the same distinction regarding a college that provided Internet connectivity that was used to access “P2P systems [that] allow[ed] users to disseminate files stored on their computers to other internet users”); see also Recording Indus. Ass’n of Am. v. Verizon Internet Servs., 351 F.3d 1229, 1233–34 (D.C. Cir. 2003) (quashing subpoena to commercial ISP because its provision of Internet connectivity to file-sharers conduct fell within section 512(a) rather than section 512(c) or (d)).

[48] When designing the survey, we consider posing the question differently, but making it 100% legally accurate would have involved so many caveats and conditions that it would have been much less comprehensible to the non-lawyer respondent.

[49] As already mentioned, however, the survey instrument did not require the percentages that a participant reported to total 100%. So, if they received notices that addressed more than one scenario, they were free to count it in the tally for each.

[50] Note that the numbering of questions in the instrument tracks the automated system that Qualtrics uses and can therefore be somewhat counterintuitive.

[51] Note that the order in which the three scenarios were presented was randomized for each participant.