All We Really Learned Is that Even Big Corporations Don’t Always Run Things by Counsel.

We have learned quite a lot about the contours of the DMCA safe harbors over the last few years, thanks to record labels swinging for the fences, Viacom and Google’s tenacity in fighting over early-days YouTube, and a rare sighting of a certain kind of “red flag.” But these cases haven’t addressed the fuzziest area of the DMCA safe-harbors: the requirement for a “repeat infringer” policy. As I’ve argued before, this requirement is service providers’ greatest point of vulnerability. Because of the law’s fuzziness, service providers can’t be certain they’re in compliance. What’s more, if they’re, they lose all protection from DMCA safe harbors. But, for some reason, the rights holders have been reluctant to attack it.

Cox runs its graduated response to copyright infringement out of this trailer, far away from any legal counsel

Cox runs its graduated response to copyright infringement out of this trailer, far away from any legal counsel. By Jeremy Randell. Creative Commons.

To get clarity about a law, you need a case that is forced to address the difficult questions. Remember that courts only rule on the issues presented to them, and their findings and reasoning are only precedential to the extent they are necessary for the court’s decision.1 Courts don’t give advisory opinions, just because it would help clear things up. Thus, if there’s an easy way and a difficult way to resolve a dispute, the court will normally just rule on the easy way. Remember also that lawsuits are expensive, and to get to the point where a court will issue a ruling takes a lot of money. It also takes a certain amount of motivation. Even a company with a lot of money won’t fight hard if the issue isn’t important to its business. So, what you need is a fight between two parties who are motivated and well-funded, who present difficult questions that a court can’t avoid.

It seemed maybe we got what we wanted last year, when two “music publishers”2 sued an internet service provider, Cox Communications, for enabling and benefiting from its customers’ sharing of music over BitTorrent protocol. The plaintiffs put Cox’s repeat infringer policy front and center of its legal theory. Since Cox is a major ISP and would surely have crafted implemented its repeat infringer policy with great care, this was sure to present the court with very hard legal questions.

Still, it wasn’t inevitable that court would get to the repeat-infringer issues. As I blogged last year when the case was first filed, I was not convinced that the plaintiffs’ case for copyright infringement would make it to trial. The DMCA safe harbors are defenses, and you don’t need a defense if you didn’t do anything illegal. The plaintiffs weren’t accusing Cox of directly infringing copyright—Cox’s subscribers were the ones allegedly doing that—but of contributing to and being “vicariously liable” for the infringing activity of Cox’s subscribers.

In that regard, I have good news and bad news. The good news is that the parties managed to put the issue of Cox’s repeat-infringer policy in front of the court before the court had to rule on the plaintiff’s claims for secondary liability.3 The bad news is that this ended up not being a very close case, so we didn’t learn very much at all about the requirements for a repeat infringer policy.

One DMCA Requirement to Rule them All…

As an ISP4, Cox could take advantage of a safe-harbor specifically designed for ISPs, “transitory digital network communications.” The idea is that we want ISPs to continue providing service to consumers without having to worry overmuch about massive copyright infringement when those consumers use the ISP’s services to infringement copyright.

All safe harbors have limitations specific to the safe harbor. This one is no different. But the limitations aren’t very significant because they basically describe normal ISP behavior. If an ISP does its job, it will meet these requirements.

But there is one additional requirement to all DMCA safe harbors. If you’re just focusing on the statutory language describing the safe harbors, you’ll miss it, because it’s buried later in the statute. It’s what is usually referred to as the “repeat-infringer” requirement. Here’s the full statutory text:

The limitations on liability established by this section shall apply to a service provider only if the service provider … has adopted and reasonably implemented, and informs subscribers and account holders of the service provider’s system or network of, a policy that provides for the termination in appropriate circumstances of subscribers and account holders of the service provider’s system or network who are repeat infringers.

Unpacking this: to be eligible for any DMCA safe harbor5 a service provider (like Cox) must (1) adopt a policy that “provides for the termination in appropriate circumstances of subscribers … who are repeat infringers,” (2) “reasonably implement[]” that policy, and (3) inform the subscribers of the policy.

…and in the Darkness Bind Them.

I told you it was fuzzy! There’s so much we don’t know about this requirement:

  • Who counts as an “infringer”? We know what infringement is, but how much proof does the service provider need to have before it must start treating a subscriber as an infringer, and not just a possible infringer?
  • What about the DMCA provision relieving service providers of any duty to investigate infringing activity? How realistic is a duty to identify repeat infringers when there’s no corresponding duty to investigate?
  • And, how many acts of infringement makes one a “repeat infringer”? Just two? A whole bunch? Does frequency matter?
  • What are the “appropriate circumstances” under which a service provider must terminate a subscriber’s account?
  • When is a given implementation of one of these policy “reasonable”?

Adding to the fuzziness: any answers to these questions is going to be context specific. What is “reasonable” and “appropriate” always depends on the circumstances. And, one suspects, what constitutes a “repeat infringer” will depend on frequency of the alleged infringement, the nature of evidence of infringement, and the nature of the services being provided.

There, however, one rock-solid requirement for a repeat-infringer policy. The policy, by definition, must include at least the possibility of termination. Even then, there’s lots we don’t know. Since service providers don’t like to terminate paying customers, there’s going to a temptation to craft the policy so that termination never happens. Obviously, that’s no good. The possibility of termination must be realistic or else it’d have no deterrent effect. But how far can service providers push that? And does the number of terminations matter? Is it a good proxy for the how realistic the possibility of termination is?6

Graduating Magna Cum Delictum

Alas, all the Cox case ended up doing for us is confirming that termination has to be at least a possibility. Now, you might think—as I did—that Cox had an unusually strong repeat-infringer policy. Back in 2013, Cox trotted out a complex repeat-infringer policy called “Cox Graduated Response.”7 It used the number of “infringement complaints” to determine the severity of the response, and it focused on educating users. There were lots of warnings, and eventually users would get shut out of using Cox’s service until they spoke to a service representative. Eventually, after fourteen infringement complaints, a Cox employee could consider termination, though it was not a requirement.

Oddly, by all accounts, this policy actually worked pretty well8. I suspect the educational aspect deterred casual infringers quickly enough. In theory, the hard-core infringers would eventually get weeded out with the harsher responses, and if those didn’t work, they’d be terminated.

One More Infringement and You’ll Be on Double-Secret Probation!

The problem was that Cox had a secret policy of never terminating anyone. Wait, let me re-phrase that more accurately. First, Cox had a secret policy of pretending to terminate subscribers, then it had a secret policy of never terminating anyone. Under the first secret policy, whenever a subscriber reached the fourteen-complaint level, and a Cox employee really felt that the subscriber should be terminated, that employee was under orders to temporarily terminate the subscriber then restore the account—with all complaints wiped away—after a good talking to. Worse, Cox was motivated by money: it wanted to hold onto every customer, even customers it knew were “repeat infringers” by anyone’s definition.

The plaintiffs had what you might call “smoking gun” level evidence of this. For example, Cox’s “Manager of Customer Abuse Operations” told his subordinates:

As we move forward in this challenging time we want to hold on to every subscriber we can. With this in mind if a customer is terminated for DMCA, you are able to reactivate them after you give them a stern warning about violating our AUP and the DMCA. We must still terminate in order for us to be in compliance with safe harbor but once termination is complete, we have fulfilled our obligation. After you reactive them the DMCA ‘counter’ restarts. … We do not talk about it or give the subscriber any indication that reactivating them is normal.

I, uh, hope that no one in Cox’s legal department approved of this! But someone higher up at Cox was obviously leaning on this guy, and that someone knew just enough about the need to have a repeat-infringer policy to be dangerous. Terminations had to be made, for show, but that was the extent of Cox’s legal obligations. Um, no.9

Some of the results (though anecdotal) were not pretty. One subscriber had been “terminated” twice and was still getting into trouble. The response: “It is fine. We need the customers.”

Interestingly, Cox contrasted copyright infringement with other bases for termination. Acts that threatened Cox’s network—spam, hacking, denial-of-service attacks, etc.—were to be treated mercilessly. Copyright infringement? Not really Cox’s problem. Which is kind of why Congress enacted that repeat-infringer policy requirement, in the first place, wouldn’t you say?

The second secret policy was simply not to terminate anyone. The evidence isn’t as breathtaking as for the first secret policy. The plaintiffs showed that Cox had terminated only a handful of subscribers. If that were all the evidence, however, the court would have let the issue go to the jury. However, the plaintiffs had documented evidence of Cox repeatedly finding excuses not to terminate subscribers it had essentially already identified as repeat infringers. This evidence was anecdotal, but it was enough to convince the court.

Between Ignorance and Certainty There Lies the Middle Path of Knowledge, Grasshopper.

But the Cox case wasn’t a complete waste! We actually find out what “infringement” means in terms of what makes a “repeat infringer.” That’s because, in the face of this smoking-gun evidence, Cox needed another plausible argument. The most straightforward one was to argue that none if its subscriber were really repeat infringers because none had ever been actually held liable for copyright infringement by a court. This issue goes to one of the question of what makes someone an infringer purpose of a legally-sufficient repeat-infringer policy?

The reasoning behind Cox’s argument is basic due process. It’s easy to accuse someone of infringement. Even where you have proof that a copyrighted work was reproduced, distributed or whatever, you don’t know about any defenses. Maybe the alleged infringer was authorized? Maybe the use was a fair use? Without litigation to ferret all these issues, and give the accused infringer a chance to defend himself or herself, you don’t know for sure.10

The problem with this argument, is that it’s unworkable. It would require copyright owners to first successfully sue a large number of subscribers, then sue the service provider, many years later. This not only defeats the purpose of requiring a repeat-infringer policy, but it defeats the purpose of secondary liability, which is to precisely to avoid massive lawsuits against direct infringers. You sue the person responsible for making it all possible.

There must a middle ground between adjudication and unsubstantiated complaints. Unfortunately, the matter is complicated by the fact that service providers are never obligated to actually investigate infringing activity on their systems. Thus, for example, you can’t say it’s infringement once the service provider gets enough complaints to make it look into the subscriber’s activity.

The court felt it could square this particular circle by establishing a “knowledge” requirement, and not worrying overmuch about each possible act of infringement. The court held that a customer was a repeat infringer if the service provider received enough information—without affirmatively investigating—to support such an accusation.

This leaves open the question of how bad a subscriber’s activity has to be before he or she deserves to be terminated. In this case, the court didn’t really need to figure that out because there was evidence that Cox employees themselves had concluded that certain subscribers were beyond the pale (and yet were not permanently terminated). So, again, not a close call.

I seriously doubt that Cox’s failure to terminate actually made piracy measurably worse. The number of subscribers who met the requirements for termination appears to have been pretty small, and terminating them wouldn’t have made a dent in piracy, especially, when you consider how BitTorrent works. Terminating them wouldn’t have had a deterrent effect because the terminations aren’t necessarily publicized (and the ISPs have incentives not to publicize them).

Let’s Hear a Sad Trombone for Rightscorp!

Cox may be the loser here—though how much of a loser will depend on how well the plaintiffs can make their claims for secondary liability (more on that next time)—but its real opponent, Rightscorp, is also a loser. Remember Rightscorp? It operates by identifying possible infringing activity over BitTorrent protocols, then sending a massive number of small settlement demands through the ISPs. The business model only works if the ISP play ball, and Cox didn’t.

This explains why all this devastating smoking-gun evidence discussed above was only the plaintiffs’ third-most important argument. They actually prioritized two other bases: (1) Cox’s refusal to forward settlement demands (like Rightscorp’s) to its subscribers, and (2) Cox’s limit on the daily number of complaints it will receive from a given source (like Rightscorp—though the policy wasn’t directed at Rightscorp, which apparently made a real nuisance of itself by sending thousands of complaints a day to Cox). What Cox wanted was a message to the other ISPs: play ball with us, or lose your safe harbor.

Remember what I said about courts preferring easy solutions to hard ones? Well, here you go. The court was presented with three arguments. One involved a rock-solid requirement and smoking-gun evidence. The others were more novel. We can presume that service providers have some obligation to make it easy to register infringement complaints, though we’re not sure.11 The hard limit seems reasonable, to be honest. And, while forwarding infringement complaints to subscribers (which Cox normally does, just not ones that include settlement demands) might be helpful, there’s no reason to think it’s absolutely necessary.

Next time, we’ll look at the court’s treatment of the secondary liability claims against Cox—remember, the ones I though were so weak? Spoiler: the court let them go to the jury, but I’m still bullish on Cox’s chances. Edit (and further spoiler): the jury ruled against Cox, but I still have my doubts.

Thanks for reading!