Baylor University doesn't want its students using peer-to-peer networks. A BlueCoat PacketShaper locks down bandwidth to students, and all inbound ports are blocked by the campus firewall to keep "computers from acting as servers or super nodes in peer to peer networks."

Illinois State uses a packet shaping device called the Packeteer; it singles out P2P traffic and clamps down hard on its available bandwidth to ensure it can't disrupt other, likely more productive uses of the campus network. In addition, the school's intrusion prevention system tries to block P2P traffic in both directions at the campus border, though only if it comes from residence and wireless hotspots—faculty and staff are trusted to use P2P applications responsibly.

Reed College in Oregon shapes bandwidth using a NetEqualizer device, though it doesn't single out P2P traffic. Instead, the system keeps on eye on overall user bandwidth use. Anyone using "excessive bandwidth" gets a friendly call to "ensure that the bandwidth consumption is for legal purposes and that the user is aware of the College's policies concerning illegal file sharing."

Everybody's doing it

These are not isolated examples; in fact, some variant of them is coming to every school in the country this year. In 2008, Congress passed the Higher Education Opportunity Act (HEOA), which included sections requiring every school that takes federal funds to 1) notify its students about copyright infringement issues and 2) develop a plan to address them.

The Motion Picture Association of America (MPAA) lobbied hard for these provisions, and it didn't matter much to members of Congress that the MPAA's secret data on campus piracy was wrong by a factor of three or that college campuses account for relatively little P2P use (the rules have no application to off-campus students).

The 2008 bill sounded a bit vague, talking of the need to "develop" plans that could "include" technological enforcement measures. But when the Department of Education drafted its 2009 rules implementing the bill, they were more specific. Plans must be developed and "implemented," and they must include "the use of one or more technology based deterrents."

The rules went into effect July 1, 2010, and every college and university received a "dear colleague" reminder letter from the Department of Education on June 4 to ensure compliance.

According to EDUCAUSE, the group which represents higher ed IT admins, these deterrents break down into four categories:

Bandwidth shaping

Traffic monitoring to identify the largest bandwidth users

A vigorous program of accepting and responding to Digital Millennium Copyright Act (DMCA) notices

A variety of commercial products designed to reduce or block illegal file sharing

If a school takes federal money, it must use at least one of these approaches or its funding could be jeopardized.

Flexibility

According to a legal memorandum made available by EDUCAUSE, the new rules do allow for some flexibility; while content owners might prefer tough restrictions, deep packet inspection, and vigorous surveillance of heavy users, a robust program of DMCA notice compliance and student sanctions could qualify as a deterrent and would require no such network monitoring (this is Cornell's stated approach).

"College and university administrators may be tempted to follow the RIAA and MPAA recommendations, if only as the path of least resistance," says the memo. "But we want to emphasize that the statute and regulations do not require a lock-step response and they provide each college and university with a substantial degree of discretion in fashioning its response."

The student notification requirement likewise allows flexibility, and the memo suggests using it to explore both copyright infringement and fair use, "which is central to the academic enterprise."

So far, approaches vary widely—as do penalties. Southern Connecticut State University shapes bandwidth, blocks all known P2P applications, and keeps an eye on anyone using large amounts of bandwidth. In addition, when the school receives a DMCA notice targeting one of its students, the approach is block first, ask questions later—"If the University receives a complaint that a user is redistributing copyrighted material that user's Internet connection will be blocked until the complaint is resolved."

Other schools have jumped whole-hog on the deep packet inspection bandwagon, routing residential traffic through an Audible Magic device to screen it for potentially infringing music.

And every school must supply a list of legal download alternatives. EDUCAUSE has created such a list, which is widely linked or copied (see an example from Wheaton College in Massachusetts).

Some schools have in the past gone further, offering their students legal access to music, but this approach has been hugely controversial; the music often uses Windows-only DRM and the cost comes from student fees.