Secondary liability for online copyright infringement: The Cox decision
By Frank Rittman — 25 Jan 2017
Secondary liability for copyright infringement has been a hotly contested issue in a number of international jurisdictions. Most countries act in some way to limit the liability of internet service providers (ISPs) for their customers’ infringing activities. In some instances, this might require ISPs to forward notices of infringement received from rights owners on to their customers as a means to raise awareness, or take additional steps to deter infringement. In return for acting reasonably, and as prescribed by statute, ISPs get the benefit of so-called ‘safe harbor’ protections that limit their liability considerably.
An ongoing case in the United States, analyzed during a CCP lecture on January 10th, took a close look at the safe harbor provisions there, and more specifically what ISPs have to do to benefit from them, resulting in a decision that startled the legal community. The case, BMG Rights Management (US) v. Cox Communications, Inc., involves secondary liability for copyright infringement, which happens when a party materially contributes to, facilitates, induces, or is otherwise responsible for directly infringing acts carried out by another party.
Many jurisdictions, including Singapore, recognize secondary liability explicitly within their copyright laws and provide specific conditions under which one party can be held responsible for the infringing acts of another. But in the United States, secondary liability for copyright infringement is a creature of case law. So the courts, rather than Congress, are primarily responsible for its development. And historically the courts have recognized two kinds of secondary liability.
The first is vicarious liability, which emanates from the agency doctrine and the notion of some supervisory capacity. Here, courts have held that employers should be responsible for the infringing acts of their employees under traditional master-servant principles. Contributory liability, on the other hand, holds third parties liable for the primary act of infringement based on their relationship with the actual harm, either by enabling it or by benefiting from it.
These doctrines have been recognized in U.S. cases involving music copyrights dating back more than 90 years. More recently, case law concerning music infringement has migrated over to the internet. Some of these cases have focused on the liability of website or network operators who create platforms used by others to commit infringement. A third doctrine, known as inducement liability, was recognized by the Supreme Court in the Grokster case. It accrues when someone distributes a device with the objective of promoting its use to infringe, as shown by clear expression or other affirmative steps.
The latest question is whether internet service providers should be held liable for the infringing acts of their network subscribers. Although there are certainly circumstances under which ISPs can be held directly, or primarily liable for infringement, the Digital Millennium Copyright Act sets out conditions under which ISPs can limit their liability for secondary infringement with respect to certain activities. These limitations extend to transitory network communications, system caching, information storage, and information location tools. These last three categories of activity have notice-and-takedown rules providing specific mechanisms for infringement notices, counter-notices and put-back, and liability provisions if false notice has been given. In order to be eligible for the safe harbor protections, ISPs in the United States have to abide by certain conditions. These include maintaining the foregoing notice and takedown provisions, as well as not interfering with technical measures used by copyright owners to protect their works. Most importantly, ISPs have to adopt and reasonably implement a policy to terminate the accounts of repeat infringers under certain circumstances.
In this case, BMG Music employed the services of an investigative company, Rightscorp, to detect and trace unauthorized copies of their musical compositions distributed illegally on peer-to-peer networks. Once an unauthorized distribution was identified, Rightscorp was able to obtain the date, time, and IP address of the peers between whom the files were shared. Beginning in 2011 they started sending infringement notices on BMG’s behalf to Cox, asking that they be forwarded to their customers. Many of those notices related to repeat infringer subscriber accounts.
A unique aspect of the Rightscorp notices was the inclusion of a settlement offer providing an opportunity to forego legal escalation by spaying a spot fine of roughly $20 to $30 per song. This proved to be the first point of contention between the parties. Cox took the view that such offers were inappropriate in the context of a DMCA notice and asked Rightscorp to take that language out of their letters. Rightscorp refused to do so, prompting Cox to blacklist them, meaning that they configured their system to automatically delete messages received from Rightscorp’s e-mail address. The information contained in those notices was never retrieved, reviewed, or acted upon.
Rightscorp then ramped things up, sending as many as 24,000 infringement notices per day and prompting Cox to ultimately block Rightscorp altogether. When a complainant is simply blacklisted, Cox still has a record of the emails’ receipt and deletion. But when a complainant is blocked at the server level, there is no record at all of any message having ever been received. BMG thereafter filed a complaint against Cox in November 2014 in the United States District Court for the Eastern District of Virginia alleging contributory and vicarious liability for copyright infringement of their musical compositions. The complaint sought statutory damages, injunctive relief, fees, and costs. Cox claimed in its defense that, as an ISP, its liability was limited by virtue of the DMCA’s safe harbor provisions, since it was a mere conduit for transitory digital networking communications, and that it did nothing more than transmit, route, or provide connections for copyrighted material.’
Before the trial, both parties filed cross-summary judgment motions. BMG sought summary judgment regarding its ownership of the subject copyrights, and also sought a ruling that Cox wasn’t entitled to protection under the DMCA’s safe harbor provisions. Cox, of course, asked the court to deny BMG’s motion, or alternatively to enter summary judgment in its favor on both issues. With slight exception, BMG prevailed on its ownership claims and proved that they did in fact have standing to bring the action. BMG also prevailed on its claim that Cox couldn’t meet the DMCA’s threshold requirement for adopting and reasonably implementing a repeat infringer policy.
Under the DMCA, a service provider has to demonstrate that it has ‘adopted and reasonably implemented, and informed its subscribers and account holders of its policy providing for the termination in appropriate circumstances of subscribers and account holders who are repeat infringers.’ This required the court to take a closer look at things, and dispute fell upon what it meant for a service provider to reasonably implement its policy.
Cox did, in fact, have an ‘Acceptable Use Policy’ that prohibits account holders from using its internet service to post, copy, transmit, or disseminate any content that infringes the patents, copyrights, trade secrets, trademark, moral rights, or proprietary rights of any party. It further specifies that violation may result in the immediate suspension or termination of access to the service, or the entire account.
But BMG said there were three reasons why Cox didn’t reasonably implement that repeat infringer policy. First, they said Cox can’t refuse to accept infringement notices just because they contain settlement offers, or ignore the specific information contained in those notices. Second, BMG complained that Cox had an unreasonable ‘hard limit’ policy restricting the number of notices it would process in a 24-hour period, that went not only to the claims against individual subscribers, but also to the aggregate claims sent by rights owners in any given day. Third, BMG argued that Cox simply didn’t terminate access or repeat infringers under appropriate circumstances. The court agreed with them on the last count, so it didn’t bother concerning itself with the first two.
It came out in evidence that Cox had a graduated response policy requiring no less than 14 notices before any consideration would be made about termination. The testimony on record revealed that on receipt of a first infringement notice sent to any given subscriber, Cox took no action whatsoever. It claimed this is because a substantial percentage of accounts never receive a second complaint. When a second complaint did arrive, Cox sent an email to the account holder that included a letter explaining the alleged infringement, along with the complete text of the notice received from the copyright owner.
The process of sending an email warning was repeated on the third, fourth, fifth, sixth, and seventh complaints Cox received for an account within a six-month period. When Cox received an eighth notice, it placed the subscriber into a ‘soft-walled garden’ limited to a single webpage and a warning message. But the account holder could exit and reactivate service by clicking a link on the webpage. The same thing happened on Cox’s receipt of a ninth notice. The tenth complaint placed the subscriber into a ‘hard-walled garden’ instructing the subscriber to call Cox Customer Service to request reactivation. That same procedure was followed upon receipt of the eleventh complaint. The twelfth and thirteenth complaints placed account holders back into the walled garden, but now they had to speak to a higher-level customer service representative in order to get reactivated. When Cox got a fourteenth notice during an abuse cycle, they then reviewed the full account history to consider termination. However, Cox claimed that in the vast majority of cases it never had to resort to termination.
The court also took note of internal emails amongst Cox’s employees showing that although the ISP recognized termination as a legal DMCA requirement, they felt perfectly within their rights tore-activate the customer immediately following the termination, at which point the customer would start over again with a clean slate. The court didn’t buy this approach, citing Black’s Law Dictionary definition of ‘terminate’ as meaning “to put an end to; to bring an end” and holding that service providers cannot skirt the termination requirement by imposing something short of complete termination.
Certain aspects of Cox’s policy were unwritten altogether. For example, Cox limited the number of notices it would process in a day. Any notices beyond the limit were closed, and not counted in the graduated response escalation. And Cox only counted one notice per subscriber per day. In other words, if a subscriber received ten notices in a day they were rolled up into a single ticket.
U.S. District Court Judge Liam O’Grady held that no reasonable jury could find that Cox had implemented a repeat infringer policy under these circumstances, and during the particular period of time in question. Cox later added two additional steps to its graduated response procedure that both strengthened the policy but reduced the likelihood that it might actually implement it. BMG successfully established that although Cox had at some point developed a termination procedure and had knowledge of its customers’ infringements, it simply chose to do nothing about it.
Justice O’Grady ruled for BMG that Cox could not avail itself to a safe harbor defense against any liability that a jury might find at trial. By contrast, he rejected Cox’s motion for summary judgment and held that there remained sufficient issues of material fact for the jury to decide. Following a two-week trial, in December 2015 a jury found Cox liable for willful contributory copyright infringement and awarded BMG $25 million in statutory damages. The jury found that Cox knew, or had reason to know, about its’ users infringements but was willfully blind to it and materially contributed to it. In short, the jury found that Cox was aware of the infringing activity and responded to it recklessly or with deliberate disregard. However, the court refused BMG’s claim for vicarious liability, as well as their request for a permanent injunction. Vicarious liability would have required a showing of Cox’s right and ability to supervise the infringing activity, and an obvious and direct financial interest in it. But here the jury found no such interest.
The parties then brought post-trial motions back to Justice O’Grady in 2016, with Cox moving for judgment as a matter of law, or alternatively for a new trial, and BMG seeking judgment as a matter of law on its failed claim of vicarious liability as well as permanent injunctive relief. Cox argued that its internet service was capable of substantially non-infringing use and was therefore immunized from liability by virtue of the Sony Betamax decision. And it argued that even if it wasn’t immunized by Betamax, it hadn’t engaged in any acts of inducement with respect to its customers.
Unsurprisingly, the judge denied both parties’ motions and effectively preserved his earlier rulings. Cox thereafter filed notice in the fourth circuit Court of Appeals in November, and BMG responded in December. Various amici briefs have by now been filed. For now, though, the judgment stands and represents the first time an ISP has been held responsible for its subscribers’ music piracy. The question becomes what does it mean looking ahead? Justice O’Grady himself noted that “in reaching this conclusion, the court acknowledges that the application of traditional contributory infringement to large intermediaries like Cox magnifies the uncertainties in this area of law and raises the specter of undesirable consequences that may follow.”
In fact there seems to be little in the way of new or innovative jurisprudence having been introduced. Yes, the DMCA says that ISPs can’t be held liable when customers user their net access or server space to infringe copyright if they have a decent system in place for stopping the infringement once they’re made aware of it. But in this instance, BMG argued and convinced the court that Cox simply operated a shoddy system, and weren’t entitled to the protections that might have otherwise been available to them had they acted more responsibly. Many observers feel the decision simply reflects good facts set against good law
But aside from the specific circumstances of this particular case, the decision raises for consideration a number of larger policy issues, such as whether the notice-and-takedown system in the United States codified 19 years ago is still functioning effectively. Rights owners spend a tremendous amount of time and money chasing down infringing URLs, only to see them pop up again after being taken down. It seems to them at times that ISPs simply play a game of cat and mouse with respect to takedown notices. So does notice and takedown provide meaningful redress, in 2017, against unchecked acts of infringement? Are there newer, better alternatives (such as site blocking) out there worth considering?
And what are the implications for other jurisdictions? The DMCA account termination provisions have been hard-fought points of concern in bilateral and multilateral trade negotiations and the United States has sought at every opportunity to replicate them in the various free trade agreements it negotiates around the world, including Singapore. In some instances they were successful while in others they were not. The language didn’t survive the final text of the Trans Pacific Partnership agreement, for example.
But several jurisdictions, including Singapore, have also enacted so-called ‘no fault’ provisions into their laws allowing rights owners to obtain blocking orders serviceable upon ISPs requiring them to block access to infringing websites and peer to peer networks without regard to any liability to the ISP for the underlying infringements. Research has shown that blocking access to infringing sites reduces local traffic to such sites by roughly 80% on average, suggesting it’s a more effective remedy to deter ongoing infringement than notice and takedown.
Meanwhile, the appeal will be closely watched by legal and legislative observers around the world. For the time being the district court decision represents one of the most significant developments in secondary liability for online infringement to have come along so far. Looking ahead, it may well prove to a catalyst for policy reform and a more supportive environment for copyright owners.
Frank Rittman is the Founding Director and Counsel for the Centre for Content Promotion. He previously served for more than a decade as the Senior Vice President, Deputy Managing Director, and Regional Policy Officer for the Motion Picture Association.
Secondary liability for online copyright infringement: The Cox decision
By Frank Rittman — 25 Jan 2017
Secondary liability for copyright infringement has been a hotly contested issue in a number of international jurisdictions. Most countries act in some way to limit the liability of internet service providers (ISPs) for their customers’ infringing activities. In some instances, this might require ISPs to forward notices of infringement received from rights owners on to their customers as a means to raise awareness, or take additional steps to deter infringement. In return for acting reasonably, and as prescribed by statute, ISPs get the benefit of so-called ‘safe harbor’ protections that limit their liability considerably.
An ongoing case in the United States, analyzed during a CCP lecture on January 10th, took a close look at the safe harbor provisions there, and more specifically what ISPs have to do to benefit from them, resulting in a decision that startled the legal community. The case, BMG Rights Management (US) v. Cox Communications, Inc., involves secondary liability for copyright infringement, which happens when a party materially contributes to, facilitates, induces, or is otherwise responsible for directly infringing acts carried out by another party.
The first is vicarious liability, which emanates from the agency doctrine and the notion of some supervisory capacity. Here, courts have held that employers should be responsible for the infringing acts of their employees under traditional master-servant principles. Contributory liability, on the other hand, holds third parties liable for the primary act of infringement based on their relationship with the actual harm, either by enabling it or by benefiting from it.
These doctrines have been recognized in U.S. cases involving music copyrights dating back more than 90 years. More recently, case law concerning music infringement has migrated over to the internet. Some of these cases have focused on the liability of website or network operators who create platforms used by others to commit infringement. A third doctrine, known as inducement liability, was recognized by the Supreme Court in the Grokster case. It accrues when someone distributes a device with the objective of promoting its use to infringe, as shown by clear expression or other affirmative steps.
The latest question is whether internet service providers should be held liable for the infringing acts of their network subscribers. Although there are certainly circumstances under which ISPs can be held directly, or primarily liable for infringement, the Digital Millennium Copyright Act sets out conditions under which ISPs can limit their liability for secondary infringement with respect to certain activities. These limitations extend to transitory network communications, system caching, information storage, and information location tools. These last three categories of activity have notice-and-takedown rules providing specific mechanisms for infringement notices, counter-notices and put-back, and liability provisions if false notice has been given. In order to be eligible for the safe harbor protections, ISPs in the United States have to abide by certain conditions. These include maintaining the foregoing notice and takedown provisions, as well as not interfering with technical measures used by copyright owners to protect their works. Most importantly, ISPs have to adopt and reasonably implement a policy to terminate the accounts of repeat infringers under certain circumstances.
In this case, BMG Music employed the services of an investigative company, Rightscorp, to detect and trace unauthorized copies of their musical compositions distributed illegally on peer-to-peer networks. Once an unauthorized distribution was identified, Rightscorp was able to obtain the date, time, and IP address of the peers between whom the files were shared. Beginning in 2011 they started sending infringement notices on BMG’s behalf to Cox, asking that they be forwarded to their customers. Many of those notices related to repeat infringer subscriber accounts.
A unique aspect of the Rightscorp notices was the inclusion of a settlement offer providing an opportunity to forego legal escalation by spaying a spot fine of roughly $20 to $30 per song. This proved to be the first point of contention between the parties. Cox took the view that such offers were inappropriate in the context of a DMCA notice and asked Rightscorp to take that language out of their letters. Rightscorp refused to do so, prompting Cox to blacklist them, meaning that they configured their system to automatically delete messages received from Rightscorp’s e-mail address. The information contained in those notices was never retrieved, reviewed, or acted upon.
Rightscorp then ramped things up, sending as many as 24,000 infringement notices per day and prompting Cox to ultimately block Rightscorp altogether. When a complainant is simply blacklisted, Cox still has a record of the emails’ receipt and deletion. But when a complainant is blocked at the server level, there is no record at all of any message having ever been received. BMG thereafter filed a complaint against Cox in November 2014 in the United States District Court for the Eastern District of Virginia alleging contributory and vicarious liability for copyright infringement of their musical compositions. The complaint sought statutory damages, injunctive relief, fees, and costs. Cox claimed in its defense that, as an ISP, its liability was limited by virtue of the DMCA’s safe harbor provisions, since it was a mere conduit for transitory digital networking communications, and that it did nothing more than transmit, route, or provide connections for copyrighted material.’
Before the trial, both parties filed cross-summary judgment motions. BMG sought summary judgment regarding its ownership of the subject copyrights, and also sought a ruling that Cox wasn’t entitled to protection under the DMCA’s safe harbor provisions. Cox, of course, asked the court to deny BMG’s motion, or alternatively to enter summary judgment in its favor on both issues. With slight exception, BMG prevailed on its ownership claims and proved that they did in fact have standing to bring the action. BMG also prevailed on its claim that Cox couldn’t meet the DMCA’s threshold requirement for adopting and reasonably implementing a repeat infringer policy.
Under the DMCA, a service provider has to demonstrate that it has ‘adopted and reasonably implemented, and informed its subscribers and account holders of its policy providing for the termination in appropriate circumstances of subscribers and account holders who are repeat infringers.’ This required the court to take a closer look at things, and dispute fell upon what it meant for a service provider to reasonably implement its policy.
Cox did, in fact, have an ‘Acceptable Use Policy’ that prohibits account holders from using its internet service to post, copy, transmit, or disseminate any content that infringes the patents, copyrights, trade secrets, trademark, moral rights, or proprietary rights of any party. It further specifies that violation may result in the immediate suspension or termination of access to the service, or the entire account.
But BMG said there were three reasons why Cox didn’t reasonably implement that repeat infringer policy. First, they said Cox can’t refuse to accept infringement notices just because they contain settlement offers, or ignore the specific information contained in those notices. Second, BMG complained that Cox had an unreasonable ‘hard limit’ policy restricting the number of notices it would process in a 24-hour period, that went not only to the claims against individual subscribers, but also to the aggregate claims sent by rights owners in any given day. Third, BMG argued that Cox simply didn’t terminate access or repeat infringers under appropriate circumstances. The court agreed with them on the last count, so it didn’t bother concerning itself with the first two.
It came out in evidence that Cox had a graduated response policy requiring no less than 14 notices before any consideration would be made about termination. The testimony on record revealed that on receipt of a first infringement notice sent to any given subscriber, Cox took no action whatsoever. It claimed this is because a substantial percentage of accounts never receive a second complaint. When a second complaint did arrive, Cox sent an email to the account holder that included a letter explaining the alleged infringement, along with the complete text of the notice received from the copyright owner.
The process of sending an email warning was repeated on the third, fourth, fifth, sixth, and seventh complaints Cox received for an account within a six-month period. When Cox received an eighth notice, it placed the subscriber into a ‘soft-walled garden’ limited to a single webpage and a warning message. But the account holder could exit and reactivate service by clicking a link on the webpage. The same thing happened on Cox’s receipt of a ninth notice. The tenth complaint placed the subscriber into a ‘hard-walled garden’ instructing the subscriber to call Cox Customer Service to request reactivation. That same procedure was followed upon receipt of the eleventh complaint. The twelfth and thirteenth complaints placed account holders back into the walled garden, but now they had to speak to a higher-level customer service representative in order to get reactivated. When Cox got a fourteenth notice during an abuse cycle, they then reviewed the full account history to consider termination. However, Cox claimed that in the vast majority of cases it never had to resort to termination.
The court also took note of internal emails amongst Cox’s employees showing that although the ISP recognized termination as a legal DMCA requirement, they felt perfectly within their rights tore-activate the customer immediately following the termination, at which point the customer would start over again with a clean slate. The court didn’t buy this approach, citing Black’s Law Dictionary definition of ‘terminate’ as meaning “to put an end to; to bring an end” and holding that service providers cannot skirt the termination requirement by imposing something short of complete termination.
Certain aspects of Cox’s policy were unwritten altogether. For example, Cox limited the number of notices it would process in a day. Any notices beyond the limit were closed, and not counted in the graduated response escalation. And Cox only counted one notice per subscriber per day. In other words, if a subscriber received ten notices in a day they were rolled up into a single ticket.
U.S. District Court Judge Liam O’Grady held that no reasonable jury could find that Cox had implemented a repeat infringer policy under these circumstances, and during the particular period of time in question. Cox later added two additional steps to its graduated response procedure that both strengthened the policy but reduced the likelihood that it might actually implement it. BMG successfully established that although Cox had at some point developed a termination procedure and had knowledge of its customers’ infringements, it simply chose to do nothing about it.
Justice O’Grady ruled for BMG that Cox could not avail itself to a safe harbor defense against any liability that a jury might find at trial. By contrast, he rejected Cox’s motion for summary judgment and held that there remained sufficient issues of material fact for the jury to decide. Following a two-week trial, in December 2015 a jury found Cox liable for willful contributory copyright infringement and awarded BMG $25 million in statutory damages. The jury found that Cox knew, or had reason to know, about its’ users infringements but was willfully blind to it and materially contributed to it. In short, the jury found that Cox was aware of the infringing activity and responded to it recklessly or with deliberate disregard. However, the court refused BMG’s claim for vicarious liability, as well as their request for a permanent injunction. Vicarious liability would have required a showing of Cox’s right and ability to supervise the infringing activity, and an obvious and direct financial interest in it. But here the jury found no such interest.
The parties then brought post-trial motions back to Justice O’Grady in 2016, with Cox moving for judgment as a matter of law, or alternatively for a new trial, and BMG seeking judgment as a matter of law on its failed claim of vicarious liability as well as permanent injunctive relief. Cox argued that its internet service was capable of substantially non-infringing use and was therefore immunized from liability by virtue of the Sony Betamax decision. And it argued that even if it wasn’t immunized by Betamax, it hadn’t engaged in any acts of inducement with respect to its customers.
In fact there seems to be little in the way of new or innovative jurisprudence having been introduced. Yes, the DMCA says that ISPs can’t be held liable when customers user their net access or server space to infringe copyright if they have a decent system in place for stopping the infringement once they’re made aware of it. But in this instance, BMG argued and convinced the court that Cox simply operated a shoddy system, and weren’t entitled to the protections that might have otherwise been available to them had they acted more responsibly. Many observers feel the decision simply reflects good facts set against good law
But aside from the specific circumstances of this particular case, the decision raises for consideration a number of larger policy issues, such as whether the notice-and-takedown system in the United States codified 19 years ago is still functioning effectively. Rights owners spend a tremendous amount of time and money chasing down infringing URLs, only to see them pop up again after being taken down. It seems to them at times that ISPs simply play a game of cat and mouse with respect to takedown notices. So does notice and takedown provide meaningful redress, in 2017, against unchecked acts of infringement? Are there newer, better alternatives (such as site blocking) out there worth considering?
And what are the implications for other jurisdictions? The DMCA account termination provisions have been hard-fought points of concern in bilateral and multilateral trade negotiations and the United States has sought at every opportunity to replicate them in the various free trade agreements it negotiates around the world, including Singapore. In some instances they were successful while in others they were not. The language didn’t survive the final text of the Trans Pacific Partnership agreement, for example.
But several jurisdictions, including Singapore, have also enacted so-called ‘no fault’ provisions into their laws allowing rights owners to obtain blocking orders serviceable upon ISPs requiring them to block access to infringing websites and peer to peer networks without regard to any liability to the ISP for the underlying infringements. Research has shown that blocking access to infringing sites reduces local traffic to such sites by roughly 80% on average, suggesting it’s a more effective remedy to deter ongoing infringement than notice and takedown.
Frank Rittman is the Founding Director and Counsel for the Centre for Content Promotion. He previously served for more than a decade as the Senior Vice President, Deputy Managing Director, and Regional Policy Officer for the Motion Picture Association.
BACK TO ALL