Is Grooveshark Just the YouTube of Music?

Although Grooveshark has been sued now three times, it has not yet had to explain why it thinks its activities are legal.  After all, as we explained in our last two posts, its activities are infringing–but surely Grooveshark’s founders haven’t gone to the trouble of starting a business if they didn’t have some legal basis for what it does.  And, indeed, they do: they believe Grooveshark is the YouTube of music.  The idea is that, just like YouTube, users upload content and stream that content to their computers on request.  And, to the same extent what YouTube does is legal, so should be what Grooveshark does.

By its nature, YouTube is always at risk of committing both direct and secondary copyright infringement.  Any time a user uploads a copyrighted work–from clips ripped directly from TV or DVDs to home-made videos of children dancing to Prince songs–YouTube would be subject to secondary liability.  Any time a user streams such content to his or her computer, YouTube would be subject to secondary liability.

I say “would be” instead of “is” because YouTube isn’t* liable for these many instances of copyright infringement.  YouTube has a defense:  section 512 of the Copyright Act, better known as “DMCA safe-harbor protection.”  Under this defense, YouTube isn’t liable so long as it meets certain requirements.

YouTube isn’t out of the woods on this.  Viacom sued YouTube a few years ago for $1 billion.  You may have heard about that!  The lower court dismissed Viacom’s case after finding that YouTube was entitled to DMCA safe-harbor protection for all instances of infringement raised by Viacom.  The case is on appeal, so it could well be reversed (and sent back the lower court).  Bear in mind that there are, in essence, two YouTubes for safe-harbor purposes:  the pre-Google YouTube, whose DMCA compliance procedures were poor, and the post-Google YouTube, whose procedures are exemplary (if perhaps overaggressive).  So it may end up that YouTube is liable for some of the earlier acts of infringement but not the later, post-Google ones.

Grooveshark believes that if YouTube can file shelter in the DMCA safe-harbor, so can it.*  I think however, Grooveshark has a tougher row to hoe than YouTube (which, as I’ve just said, isn’t out of the woods).  Whereas YouTube’s content often really was user-generated (home-made videos, etc.), one suspects that very little of Grooveshark’s content is–unless users performed their own original compositions, or somehow obtained licenses for their content.

*  It’s believed that Universal limited its lawsuit against Grooveshark to pre-1972 songs to avoid the DMCA safe-harbor defense.  Take that information for what you will.

Although there are five flavors of the DMCA Safe Harbor, by far the most popular flavor–and the one we’re interested in here–is Section 512(c) because it applies to websites.*  This covers “infringement of copyright by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider.”  In other words, if you operate a website, and your users or customers place infringing material on your website, you won’t be liable despite the infringement–if you comply with certain requirements.

As you can see, it’s not limited to websites, but right now websites are the most prominent beneficiaries of this safe harbor.  We’ll refer to “website operators” as a kind of surrogate for “online service providers” because online service provider is sort of a lifeless term.

This isn’t blanket immunity.  The idea is to excuse websites from having to hall-monitor its users, but in exchange, the website operator must take certain steps to dampen down copyright infringement on the website.  Specifically, the operator must (paraphrasing a bit here):

1.  Have and implement a policy terminating repeat infringers,*

2.  Be genuinely unaware of copyright infringement being committed through its website,

3.  Not receive a direct financial benefit from the copyright infringement; and

4.  Put a stop to copyright infringement, when it has been properly brought to the operator’s attention (better known as “notice and takedown”).

This is a requirement for all flavors of DMCA safe harbor, not just 512(c).  The others are specific to section 512(c).

The first and last requirements are closely related, so we’ll discuss those two first, and we’ll discuss the middle two requirements in our next post.

Notice and Takedown

To benefit from DMCA safe-harbor protection, you must “expeditiously” remove or block access to content on your website after you receive proper notice that someone has a good-faith belief that their copyright is being infringed.  This is certainly the best known (and most notorious) aspect of DMCA safe-harbor (of any flavor).  The statute provides a highly detailed set of procedures for website operator and rights holder to follow.

First off, you (the website operator) must have a designated DMCA agent:  an actual human being who is responsible to receiving the take-down notices, together with his or her contact information (including email).  This information must be (a) posted on your website; and (b) registered with the U.S. Copyright Office.*  The way the statute is written, you are simply not eligible for DMCA safe-harbor protection if you haven’t properly designated an DMCA agent.  It doesn’t matter whether people can easily figure out who your agent is, or that you’re a sole proprietorship and there is no else to send the take-down notice to.  It is a highly technical and apparently unforgiving requirement.**

*  You can download the form here.  Note that it costs money to register.  See the fee schedule here.

**  The requirement has come under a lot of criticism for precisely these reasons, particularly the requirement that the agent be registered with the Copyright Office.  If one can get the information from your website, what’s the point of the Copyright Office’s having redundant information?  Further, it costs at least $105 to register.

The takedown notice is straightforward and requires the sort of information that you (the rights holder) would probably have included anyway:  who you are, what work has been infringed, what material you think is infringing the copyright, and your contact information.  In addition, it requires you to make three statements:

  • That you have a good-faith “belief” that the material in question is “not authorized by the copyright owner, its agent, or the law.”  It’s clear that this statement is at least meant to force you to double-check that you or your agent didn’t license the copyright for this particular use.  What’s less clear is whether you need to evaluate the alleged infringer’s defenses.  Does not authorized … by law just refer to statutory licensing schemes (such as the webcaster license), or does it include any basis for non-liability, such as fair use?*

*  My reading (which doesn’t necessarily reflect my policy preference) is that it is limited to statutory licensing schemes.  Personally, I think the rights holders should be made to make at least a cursory fair-use analysis before sending a take-down notice because otherwise fair use just falls out of the DMCA safe-harbor equation.  But, to me, the term authorized implies an affirmative grant of permission, rather than any legal exception to infringement.  However, at least one federal judge (Jeremy Fogel, whom I blogged about earlier) has explicitly rejected this argument and held that rights holders must make at least a good-faith analysis of fair use before issuing a DMCA take-down notice.  Lenz v. Universal Music Corp., 572 F. Supp. 2d 1150 (N.D. Cal. 2008) (the notorious “Let’s Go Crazy” case).

  • That the information in the take-down notice is accurate.
  • That you (as the signatory of the take-down notice) have the authority to act on behalf of “the owner of an exclusive right that is allegedly infringed.”  This clearly is meant to include at least the copyright owner, the copyright owner’s agents and lawyers, and so forth.  It’s not entirely clear whether this also includes exclusive licensees and their agents.  For some reason, this statement (but not the other two) must be made under penalty of perjury.*

*  Again, that’s my reading.  The statement about accuracy is included in the same sub-paragraph as this one, but grammatically, the phrase under penalty of perjury modifies only this statement and not the accuracy statement.  I’ll add that this makes no sense.  Surely you should be able to vouch for the accuracy of the whole take-down notice, including your good-faith belief of non-authorization, and if so, you should have no trouble swearing to that effect.

Finally, you need to sign the notice.  Unbelievably, this requirement can be waived if (a) you provide the basic information (the who, what and what), and (b) the recipient doesn’t attempt to help the sender comply with the take-down notice requirements.  (Does anyone know why this is?)

Does Grooveshark comply with the notice-and-takedown procedure?  Grooveshark will tell everyone who listens that it does, and I believe Grooveshark on this point.*  If Grooveshark is to rely on the DMCA Safe Harbor, it must absolutely comply with these provisions.  At the same time, they’re not terribly difficult provisions to implement if you’re careful.

*  Update:  According to this April 2011 open letter by Grooveshark’s Paul Geller, Grooveshark has removed 1.76 million files as of the date of the letter, although it doesn’t say whether all of those removals were in response to DMCA takedown notices.

There is a lot more to the notice-and-takedown process, including (a) a procedure for counter-notices by the user whose material is taken down, and (b) liability for those sending notices and counter-notices for making knowing misrepresentations.  Maybe we can get into those issues in another post.

Policy Terminating Repeat Infringers

As a threshold for any flavor of DMCA safe-harbor protection, the website must have, carry out and inform users of a policy for terminating repeat infringers.  This much we think we know about the requirements of such a policy:

  • The website operator must have a “notification system,” i.e., a reliable method of receiving takedown notices.  For example, in the Harlan Ellison case against AOL, AOL was found to have had something less than an ideal notification system because it changed the email address to which takedown notices were to be sent without arranging for forwarding from the old address, which allowed some notices to disappear into the ether.
  • The website operator must have procedure for processing DMCA takedown notices.
  • The website operator can’t block rights owners from gathering information necessary for a DMCA takedown notice.

You’ll notice an emphasis on takedown notices, which feature only in the “flavor” of DMCA safe-harbor protection that we’re talking about here.  In other words, the substantive requirements of one type of safe-harbor is being folded into the general requirement of a repeat-infringer policy.  It’s likely that if another “flavor” were involved, its substantive requirements would be folded in instead.

This leaves a number of unanswered questions:

What does it mean to be an “infringer”?  Does it mean you’ve been merely accused of copyright infringement (perhaps subject to a take-down notice), that you’ve been found liable for copyright infringement, or something in between?  If being subject of a takedown notice is the standard, what happens if there is a counter-notice?  You might think that the compromise view would prevail, but that’s perhaps the least likely choice because it would seem to require some sort of investigation on the operator’s part.  As we’ll discuss in our next post, website operators are not required to investigate infringing activity or otherwise police their sites.

How many times is too many?  The term repeat could mean simply, “more than once,” but it could also connote a pattern of abuse.  A pattern of abuse could mean as few as three instances within short period, or maybe ten, if it was sporadic over a long period of time.  It would depend on the context.  (My money is on “pattern of abuse.”  There are better words than repeat to describe “more than once,” and Congress knew that.)

What constitutes an act of infringement?  In copyright law, each time you wrongfully exercise an exclusive right in a particular work, that’s an act of infringement.  So, if you download three songs illegally, that’s three acts.  In the context of “repeatedness,” is this one instance or three?  (If the standard for “repeatedness” is pattern of abuse, I think this questions drops out because the issue is whether the acts constitute a holistic pattern, not whether we have one, two or three discrete acts.)

Does the nature of the underlying work matter? Does it make a difference if you were downloading expensive software applications, as opposed to short blog posts?

What about fair use?  As I keep saying, fair use is like unto a religious mystery in copyright law.  Reasonable minds often disagree, and you don’t really know until a court makes a determination.  Even if website operators weren’t spared the burdens of investigation and policing, they’re not well equipped to make this judgment.

Right now, the website operators are all over the place on this issue.  Because they don’t know what the minimum requirements are, the operators naturally tend to be conservative in their approach, i.e., they are more aggressive in terminating accounts than perhaps they need to be.  Balancing this tendency is the operators’ desire to avoid annoying their customers.  Naturally, larger websites feel this less keenly than smaller ones.*

This might make some market sense:  if, for example, YouTube is too aggressive, another video-sharing site could market itself as more user friendly.  In that case, the uncertainty as to the minimum requirements and the threat of ruinous lawsuits would act to distort that market.  By the way, the Deeplinks has what I think is a very reasonable suggested policy here.  This law professor makes the case that the recent ISP-RIAA accord is really a way to bring some certainty to what constitutes a reasonable policy.

Here is Grooveshark’s repeat infringer policy (which I got here):

Should EMG [the company that operates Grooveshark] discover or be informed that you continue to upload User Content for which you do not personally own the copyright or otherwise do not have the necessary authority from the copyright owner after EMG has made reasonable efforts to disable your ability to do so, you will be considered a repeat infringer, and EMG will terminate your account and delete all data associated with your account; remove all of the User Content you have uploaded/submitted to the Site; and use its reasonable efforts to prohibit you from signing up for another User account in the future.

Based on what we know about the termination-policy requirement, this appears good enough.  A harder question is whether Grooveshark has been implementing this policy, i.e., whether it has actually terminated users who have repeatedly uploaded copyrighted works without authorization.*  If Grooveshark is, it isn’t publicizing such terminations very well.  For now, we’ll have to give them the benefit of the doubt, and leave it to the plaintiffs to figure it out.

*  Update:  According to the April 2011 open letter, Grooveshark has suspended upload privileges to 22,274 as of the date of that letter.

So far, so good for Grooveshark.  Next time, we’ll finish off discussing Grooveshark’s DMCA–the “middle two” requirements, both of which present (in my opinion) serious stumbling blocks.

If you want to learn more about DMCA safe-harbors, there are some good resources here, here and here.

Thanks for reading!