On the Importance of Knowing Just Enough

As we all know by now (quick primer here), the DMCA safe harbor is a marvelous, marvelous thing for internet-related system operators—not just YouTube, but any website that interacts much with its users—but that marvelous protection can be lost if you’re not careful. One way to lose it is to have actual or “red-flag” knowledge of infringing activity on the network. The tendency among service providers, therefore—and something of a perverse incentive—is to remain as ignorant as possible of user activities on the system, unless forced to pay attention via a DMCA takedown notice.

Upload, Infringe, Repeat

But, as the recent Hotfile case demonstrates, complete ignorance isn’t good for your DMCA safe harbor. That’s because you have to promulgate and reasonably implement a policy that terminates repeat infringers. The Hotfile court held that implementing a repeat-infringer policy involves collecting some information.

As I’ve explained here, here and especially here, these repeat-infringer requirements raise several difficult questions that have not be adequately addressed by the courts. In Hotfile, the main question was: what is the minimum you have to do to have “reasonably implemented” a repeat-infringer policy? Folded into that question, however, was a knottier question: when is a user an infringer?

Hotfile (if you’ve somehow never heard of it) is a popular “storage locker” type of service. In theory, users upload their own content to Hotfile’s servers so they may access it anywhere.* But Hotfile isn’t, say, Dropbox. Content uploaded to Hotfile is accessible to the public**, though Hotfile neither publishes a catalogue of its user-supplied content nor makes such content searchable. What’s more, Hotfile assigns each item of user-supplied content with a unique URL, which makes it pretty easy for the uploading users—and others—to share content, on a fairly wide scale.

* As I’ve explained before, it’s not 100% certain whether even this innocuous “space shifting” is legal, though chances are it’s a fair use if used purely for personal storage and access. In the event, the rights holders in Hotfile appear not to have challenged the legality of personal “space shifting.”

** Or at least to other Hotfile subscribers, which is almost the same thing.

Though Hotfile isn’t quite DropBox, it isn’t all that different from DropBox either. With some effort, you could convert your DropBox account into something very much like Hotfile. To support collaboration, DropBox can create unique URLs of uploaded content, presumably so your business associates and friends can view and contribute to your own work, but nothing prevents you from uploading Despicable Me and sharing the URL to that content among your friends. You’d have to set your password to null (assuming DropBox allows that) or share your password, but it could be done. Turning this around: you could easily configure your Hotfile account to operate like DropBox, except perhaps without password protection.*

* Hotfile has altered quite a bit since the lawsuit was filed, so it’s hard to find out how it worked pre-litigation, so I’m limited to the court’s description of its operations.

Whether by design or by accident, Hotfile was, in practice, popular with pirates. It had 5 million users and received 8 million takedown notices: not a good ratio. And while many takedown notices are baloney, most are not. It bears noting, however, that Hotfile maintained an incentive program for users to drive traffic to large user-uploaded files, and Hotfile had an extensive ecosystem of online catalogues that made up for any lack of a central catalogue.*

* I’m pretty sure Dropbox doesn’t have anything like that.

Hotfile may have received 8 million DMCA takedown notices, but it actually terminated 43 users, usually for reasons that had nothing to do with the takedown notices. As it turns out, Hotfile couldn’t have terminated a user for violating its repeat-infringer policy because Hotfile had no idea which users had racked up how many takedowns. It deliberately avoided collecting that information. But the rights-holding plaintiffs were able to figure it out, and they found 61 subscribers who had accumulated more than 300 notices each, for example. Oh, and these subscribers were among the most rewarded by the incentive program.

Strange: The Only Losing Move Is Not to Play

Although the court spent a lot of time reviewing the scant authority on reasonable implementation of repeat-infringer policies, it decided that this really wasn’t a very close case. There might be a lot of uncertainty about what’s reasonable, but at a minimum, you had to be able to connect takedown notices to subscribers. It was the equivalent of haggling over whether you should walk or run, when you’ve deliberately put one foot in an iron boot.

The court acknowledged that this “connection” requirement had to be squared with another DMCA provision: that a service provider isn’t required to investigate or monitor activity on its system. This provision has guttedbut not quite killed—the red-flag knowledge provision.* The court implicitly held that gathering the necessary information to connect takedown notices with subscribers isn’t an investigation, i.e., “affirmatively seek[ing] facts indicating infringing activity.” If you don’t require the service provider to “look behind” the takedown notices, then this makes sense. Takedown notices are part of the DMCA ecosystem, in that they represent information the service provider is deemed to know.**

* Because the usual test for “awareness” is whether you have enough information to cause you to investigate.

** The odd flipside of this is that the service provider is deemed to be completely ignorant of the information conveyed in a non-compliant takedown notice. That’s just how it has to work.

But this raises another problem. The takedown notices are hardly definitive evidence of infringement. Rights holders frequently make mistakes, for a variety of reasons, some funnier than others. And some rights holders have used DMCA takedown notices to suppress viewpoints they dislike or otherwise to bully folks.

The court’s response to this problem is: well, they’re not perfect, but they’re all we have. The court might also have added: if we’re honest with ourselves, we know that a subscriber who has accumulated 300 takedown notices must have uploaded a lot of infringing content. Even if 90% of takedown notices are baloney, that’s still 30 acts of infringement, which ought to be enough to terminate the subscription.

Bears Repeating: Register Your DMCA Agent!

There’s more. The court also held that Hotfile hadn’t registered its DMCA agent properly. As I’ve explained previously, to be eligible for DMCA safe-harbor protection, you must designate someone to be your DMCA agent, to receive and do something with all of those DMCA takedown requests. But not only that, you have to register with the Copyright Office the name, address, phone number and email address of the DMCA agent, and provide that information on your website (where rights holders can find it).

What Hotfile had, until 2010, is one of those “report abuse” forms and an email address. That sound like enough, doesn’t it? Just fill out the form and hit “submit,” or if you really insist, you can send your own form to the email address.

Contrary to popular imagination, the law really isn’t all that hung up on technicalities.* But this is a time when the law is very hung up on a technicality. If you don’t substantially comply with the DMCA agent requirements, you don’t get any of that marvelous, marvelous DMCA safe-harbor protection. It’s not hard—you just gotta do it. And Hotfile didn’t get around to it until 2010. So, even if it had the world’s best implementation of the most flawless repeat-infringer policy, it was on the hook for vicarious infringement through 2010.**

* True, a judge in state court recently held that a living man was technically dead. So, yeah.

** And maybe not even now. The address supplied by Hotfile was a P.O. box, which is by definition, a perfectly fine mailing address. But the Copyright Office doesn’t accept P.O. boxes for some reason as an appropriate address for the DMCA agent. It’s not at all clear whether the Copyright Office was empowered to exclude P.O. boxes from the statute’s term “address.” But the court was clearly prepared to hold that Hotfile never had a properly registered DMCA agent because it (shudder) used a P.O. box for an address.

Thanks for reading!