February 20, 2018

Study Shows DMCA Takedowns Based on Inconclusive Evidence

A new study by Michael Piatek, Yoshi Kohno and Arvind Krishnamurthy at the University of Washington shows that copyright owners’ representatives sometimes send DMCA takedown notices where there is no infringement – and even to printers and other devices that don’t download any music or movies. The authors of the study received more than 400 spurious takedown notices.

Technical details are summarized in the study’s FAQ:

Downloading a file from BitTorrent is a two step process. First, a new user contacts a central coordinator [a “tracker” – Ed] that maintains a list of all other users currently downloading a file and obtains a list of other downloaders. Next, the new user contacts those peers, requesting file data and sharing it with others. Actual downloading and/or sharing of copyrighted material occurs only during the second step, but our experiments show that some monitoring techniques rely only on the reports of the central coordinator to determine whether or not a user is infringing. In these cases whether or not a peer is actually participating is not verified directly. In our paper, we describe techniques that exploit this lack of direct verification, allowing us to frame arbitrary Internet users.

The existence of erroneous takedowns is not news – anybody who has seen the current system operating knows that some notices are just wrong, for example referring to unused IP addresses. Somewhat more interesting is the result that it is pretty easy to “frame” somebody so they get takedown notices despite doing nothing wrong. Given this, it would be a mistake to infer a pattern of infringement based solely on the existence of takedown notices. More evidence should be required before imposing punishment.

Now it’s not entirely crazy to send some kind of soft “warning” to a user based on the kind of evidence described in the Washington paper. Most of the people who received such warnings would probably be infringers, and if it’s nothing more than a warning (“Hey, it looks like you might be infringing. Don’t infringe.”) it could be effective, especially if the recipients know that with a bit more work the copyright owner could gather stronger evidence. Such a system could make sense, as long as everybody understood that warnings were not evidence of infringement.

So are copyright owners overstepping the law when they send takedown notices based on inconclusive evidence? Only a lawyer can say for sure. I’ve read the statute and it’s not clear to me. Readers who have an informed opinion on this question are encouraged to speak up in the comments.

Whether or not copyright owners can send warnings based on inconclusive evidence, the notification letters they actually send imply that there is strong evidence of infringement. Here’s an excerpt from a letter sent to the University of Washington about one of the (non-infringing) study computers:

XXX, Inc. swears under penalty of perjury that YYY Corporation has authorized XXX to act as its non-exclusive agent for copyright infringement notification. XXX’s search of the protocol listed below has detected infringements of YYY’s copyright interests on your IP addresses as detailed in the attached report.

XXX has reasonable good faith belief that use of the material in the manner complained of in the attached report is not authorized by YYY, its agents, or the law. The information provided herein is accurate to the best of our knowledge. Therefore, this letter is an official notification to effect removal of the detected infringement listed in the attached report. The attached documentation specifies the exact location of the infringement.

The statement that the search “has detected infringements … on your IP addresses” is not accurate, and the later reference to “the detected infringement” also misleads. The letter contains details of the purported infringement, which once again give the false impression that the letter’s sender has verified that infringement was actually occurring:

Evidentiary Information:
Notice ID: xx-xxxxxxxx
Recent Infringement Timestamp: 5 May 2008 20:54:30 GMT
Infringed Work: Iron Man
Infringing FileName: Iron Man TS Kvcd(A Karmadrome Release)KVCD by DangerDee
Infringing FileSize: 834197878
Protocol: BitTorrent
Infringing URL: http://tmts.org.uk/xbtit/announce.php
Infringers IP Address: xx.xx.xxx.xxx
Infringer’s DNS Name: d-xx-xx-xxx-xxx.dhcp4.washington.edu
Infringer’s User Name:
Initial Infringement Timestamp: 4 May 2008 20:22:51 GMT

The obvious question at this point is why the copyright owners don’t do the extra work to verify that the target of the letter is actually transferring copyrighted content. There are several possibilities. Perhaps BitTorrent clients can recognize and shun the detector computers. Perhaps they don’t want to participate in an act of infringement by sending or receiving copyrighted material (which would be necessary to know that something on the targeted computer is willing to transfer it). Perhaps it simply serves their interests better to send lots of weak accusations, rather than fewer stronger ones. Whatever the reason, until copyright owners change their practices, DMCA notices should not be considered strong evidence of infringement.


  1. Michael Donnelly says:

    I don’t think that letter would qualify as a soft “warning” to many recipients. Has the provision for sending wrongful DMCA notices ever actually been asserted other than in the typical file-and-settle action we see? It seems like that part of the law was written specifically for this case, to prevent copyright holders from terrorizing the populace at random.

  2. Michael Donnelly says:

    As an afterthought, are there still any campuses that have IP-enabled soda machines or microwave ovens? I remember them being a funny diversion a few years ago, but their novelty may have faded.

    If so, it would be a good target for spoofing the takedown notice. The only thing better than a Hot Pocket for studying is one that was cooked by an infringing microwave oven. Mmm, tasty.

  3. Michael, I don’t believe that the quoted letter is a warning, but rather one of the official takedown notices: “this letter is an official notification to effect removal of the detected infringement.” The warning system is purely hypothetical at this point.

    That being said, I agree with the sentiment of your first comment: these warning letters are a bad idea. Everything in that letter except the line about the notice being official notification could be included in a warning letter. Furthermore, the companies that send the “warning letters” have every incentive to use the most threatening language possible (and thus to make the letters appear that they are _not_ warnings). The very purpose of these letters is to discourage file sharing, so ominous language forwards the interests of the letter writers at the expense of clarity.

    To compound the problem of “everybody [understanding] that warnings were not evidence of infringement”, the public’s knowledge of copyright law is weak. I have friends who are getting advanced degrees (not in law, mind you) at some of the best universities in the US who have received these letters and they read them as “Look, threatening official language from a lawyer: I must have done something bad, and I should give in to their demands lest I get in more trouble.”

    Moreover, I have to disagree with the principle behind the warning letters. There are no signs in a bank that flash “PLEASE DON’T ROB US, YOU MIGHT BE IN JAIL FOR A LONG TIME” when one gets too close to the safe. There are signs in some places, SF Muni comes to mind, that warn of punishment for, say, assaulting the driver but these warnings aren’t activated by anyone’s ‘suspicious behavior’ and don’t require any monitoring of the populace.

    Tolerating the behavior of a surveillance organization that sends out warning letters upon mere suspicion of activity that organization perceives as illegal seems like bad public policy because it will result in many false positives (if not ALL false positives, there would be no accountability for the letter writers since they are only warnings and therefore no disincentive to send out as many as possible to as many people as possible aside from the cost of postage) that will chill legitimate activity online.

  4. Complaining about it on weblogs isn’t going to make the ??AA change their ways. The key here is taking them to task for swearing out these letters “under penalty of perjury”.

  5. dr2chase says:

    Barry, the penalty of perjury thing is a complete diversion, because the assertion that the swearing supports is “they hired us”.

    Now, if someone could automate the “framing” and use it to finger the IPd of zombied computers used for spam and phishing….

  6. Jim Lyon says:

    I would not be surprized to see some activist use the techniques of the study to cause the enforcers to send takedown notices to every member of Congress and every federal judge. The ensuing hijinks would be fun to watch.

  7. I think the copyright claimants are clearly overstepping, but whether they can be held legally accountable is a closer call. Conducting and publicizing these studies of their errors, however, could help bolster the case against the flawed demands. Specifically, investigators aware they’re using flawed methodology can no longer assert a “good faith belief” that they are reporting unauthorized use – because they have no basis to believe they’ve identified any “use of the[ir] material” at all. 512(c)(3)(v) At some point, continued use of known bad information-collection methods could open the copyright claimants to legal challenge under 512(f), for “knowingly materially misrepresent[ing]” infringement.

    These automated takedowns are particularly problematic when they trigger suspension of user accounts, as they do at some colleges and universities or service providers acting to preserve their safe-harbor eligibility by terminating repeat infringers. 512(i) While I argue they could refrain from doing so on the grounds that automated notices are not “appropriate circumstances” for termination, it is not surprising that many ISPs prefer to avoid the risk.

  8. To amplify Wendy Seltzer’s point, a written statement purporting to accuse someone of violating federal law, made with reckless disregard for its factual accuracy, and resulting in clearly-identifiable economic and other damage (e.g. loss of a long-held email address, loss of computer access necessary for matriculation) would seem at first blush to meet the usual standards for actionability. (Of course, if you don’t happen to have lawyers on retainer pursuing the action would be unfeasible.)

  9. Frater Plotter says:

    There’s a bug in the DMCA takedown process. At present, it requires the party sending the takedown notice to swear under penalty of perjury that they do in fact represent the copyright holder. However, it does not require them to swear to the much more relevant portion of the notice: their “reasonable good-faith belief” that infringement is taking place.

    A reasonable bug-fix would be to hold takedown-senders liable for the time and effort spent investigating notices sent without sufficient reason to believe that infringement exists. This would include, for instance, notices sent regarding the supposed conduct of printers. It would also include an even more obviously negligent case that I dealt with in a previous job: notices sent regarding the supposed conduct of IP addresses that have literally never been routed.

  10. Spurious DMCA takedown notices clearly do a lot of harm, but the hassle it would take to hold takedown-senders liable might cause copyright owners with the need to call in infringement to be unable to do so. Clearly standards need to be raised, but perhaps not as much as Mr. Potter suggests.

    The book Copyright and Creative Freedom: A Study of Post-Socialist Law Reform by Mira T. Sundara Rajan provides interesting insight into this topic. The book can be found in ebook form at BooksOnBoard.com-Copyright and Creative Freedom
    Happy reading!

  11. Lawrence D'Oliveiro says:

    They’re a big, important corporate organization with a whole army of lawyers working for them. Therefore they must know what they’re doing. End of story.

  12. supercat says:

    The proper solution is to require people sending takedown notices to affirm under penalty of perjury that they are the copyright holders if [i]specifically identifiable material on the site[/i], for example:

    I do hereby affirm that I am an agent of Acme Cartoons, Inc., a copyright holder of the material identified below.

    (low-res photos of content, and URLs of low-res/low-quality audio visual files for reference).

    This material was made available via the indicated URLs as of the times indicated.

    (list of addresses and times)

    A site holder could then check to observe whether the specified URLs point to material resembling the material shown.

  13. “Spurious DMCA takedown notices clearly do a lot of harm, but the hassle it would take to hold takedown-senders liable might cause copyright owners with the need to call in infringement to be unable to do so.”

    Oh, how I weep…:P

  14. I have some questions about the study. It doesn’t identify the “enforcement agencies” (an inaccurate term, since they’re private parties) making the complaints, even stripping identifying information from the one complaint which is posted. It doesn’t explain how the complainants arrived at the identity of the alleged infringing works (in the example Iron Man) when the testers were just crawling the servers. The study incorrectly claims to be “the first to provide scientific evidence that people could be receiving [invalid] DMCA notices” when in fact there have been documented cases before (e.g., the “Red Bones” complaint which the Berkman Center publicized).
    Maybe the problem is just over-reticence plus hyperbole, but it detracts from the report’s credibility.

  15. Objection: relevance?