Understanding DMCA Safe Harbors

I briefly discussed the DMCA safe harbors in a previous post. However, considering the complexity of the safe harbors (and at the behest of Washu over at Gamedev.net) some elaboration is necessary.

What are the safe harbors?

Simply put, the safe harbors limit the liability of certain online service providers from copyright infringement claims. Protected service providers include ISPs, carriers, and websites that transmit or store user content. For instance, a website like youtube.com, which hosts user-generated video content, almost certainly falls under the DMCA safe harbor. Similarly your ISP or internet carrier, be it Comcast, Qwest, or Time Warner, would theoretically be protected under the safe harbor. The limitation of liability does not mean that absolutely no liability exists, but it does provide certain protections to those providers who exercise limited control over user content and the use of their services.

The History

Congress recognized the need for safe harbors years before the advent of the DMCA. As demonstrated in the passing of the "passive carrier" section of the 1976 Copyright Act (17 U.S.C. 111(a)(3)), Congress realized that services like telephones and cable providers could potentially be held liable for copyright infringement to the extent that their services were used to relay infringing content. The Internet further demonstrated the need for these protections because of the sheer quantity of content that could be transmitted through those same cable and phone lines. Both the courts and Congress decided that a line needed to be drawn in the case of internet websites, Usenet, and other automated systems by which content could be automatically reproduced and distributed without control or action by the original website or Usenet creator.

Thus under the umbrella of the DMCA, the Online Copyright Infringement Liability Limitation Act was enacted. The act created safe harbors for four "types" of services providers: (1) the ISPs and infrastructure providers who transmitted packets of information; (2) the carriers that cached content to speed up transmission; (3) the websites and service providers that allowed users to upload their own content; and (4) search engines that host links and thumbnails to content.

The Four Types

Transmission. The first exception applies to internet carriers that transmit and in some cases temporarily store and/or copy packets of information for the purpose of allowing users to connect through the network to websites, FTP hosts, and the like. Essentially the first safe harbor applies to the network infrastructure provider that allows your computer or console to connect to whatever it is you're trying to connect to. Without this safe harbor ISPs would be potentially liable for any infringement that occurred on their system depending on the method of transmission.

Caching. Similarly ISPs who cache (e.g. store and save) data on their systems so that previously visited websites load faster for a user are granted limited liability. Certain requirements must be met for this safe harbor to apply, which will be discussed below.

User Generated Content. The third exception, and the one that generally receives the most attention, applies to websites and service providers that permit users to automatically store content on the website/service provider's server or system. In this case even more requirements must be met, including the registration of a DMCA agent with the Copyright office.

Search Engines. The last exception applies to search engines, directories, indexes, references, and other internet tools that link to websites or online data containing infringing content.

Qualifying for Safe Harbor Protection

As a Transmission service provider. It's unlikely that this will apply to anyone reading this blog, but people may still be interested in learning how their ISP can limit their copyright infringement liability:

  • The service provider can't initiate the transmission—this should be obvious. If the provider is the one transmitting infringing content, they're direct infringers.
  • The transmission must be an automated technical process that doesn't filter or select material. If the ISP engages in a selection or editing process in the course of transmission they may lose their limited liability (which raises some truly fascinating questions in the Net Neutrality argument).
  • The ISP can't choose who receives the material—the process must be automatic and it must be in response to a request from an end user.
  • The next qualification has two parts: first, transmitted information on the system can't be stored in a manner that would normally allow accessibility to the content by anyone other than the requesting end user; second, the information can't be stored for longer than is necessary for the transmission to the requesting end user.
  • ISPs can't modify the content in the course of transmission.

If you're caching data and content. Caching can occur at any point between request and transmission, so it's necessary to break down the players in the caching game: (1) content providers; (2) service providers; and (3) end users. It's necessary to note here that a service provider can include any site that caches user data to make logging in or other preferences readily available to the user, including site like Ebay and Amazon. Unfortunately this safe harbor is a bit convoluted, but I'll try to clarify the key points:

  • Content must be provided by someone other than the service provider. This is nothing new and is identical to the first requirement for the transmission safe harbor.
  • The system in place must be fully automated for the purpose of making material available to system users/end users.
  • The service provider can't modify the content stored on its system.
  • This is where things get tricky: the service provider must also comply with rules concerning the "refreshing, reloading, or other updating of the material when specified by the person making the material available". Ordinarily this could be exploited—for instance, an infringing content provider could establish rules that require a page to refresh every millisecond so as to make caching useless. There is fortunately a limitation to unreasonable rules. If the rules unreasonably limit or impair intermediate storage they will not interfere with the limited liability of the caching service provider.
  • Provided that the technology associated with the content doesn't (1) unreasonably impair caching (2) go against industry standards or (3) phish or extract data from the server provider's system (except already available information), a service provider who caches that content can't interfere or alter the functionality of the technology associated with the content.
  • The service provider must comply with the content provider's access conditions with respect to individual users. For instance, the content provider may require a password or fee before cached information can be received by the end user.
  • If the content provider is himself infringing, the service provider must respond promptly to notification of infringement and remove or disable the infringing material. However, because caching must be automatic, this requirement is only necessary if (1) the infringing content has been removed from the originating site and (2) the notifying party (e.g., the copyright owner) includes in the notification a statement concerning removal of infringing content on the originating site.

If users can upload and store content. This is where sites like Veoh, YouTube, and other services that permit users to upload their own content come into play. It also includes webhosts like geocities, and blog hosts like WordPress and TypePad, that enable users to store and share content on their servers. It can even apply to forums, chat rooms, and anywhere else where users designate what is uploaded or stored on the service provider's system. This safe harbor has three major requirements:

  • The service provider cannot have knowledge of the infringement. The actual knowledge requirement provides a significant safe guard to service providers—simply being told that certain content may be infringing is rarely sufficient, and those providing notification of infringement may be required to provide appropriate available evidence in support of an infringement claim.
  • The next requirement has two parts: (1) the service provider cannot receive any direct financial benefit from the infringement, and (2) the service provider cannot have any right or ability to control infringing activity. Both parts require some elaboration. In terms of direct financial benefit, a service provider may, for example, obtain a one-time registration fee or a monthly subscription fee from an infringing user without running afoul of the safe harbor. Courts generally take a common sense approach to the financial benefit requirement and have ruled that the benefit must result directly from the infringing activity, and not generally from the user's access to the service. In terms of control, it typically must exceed the ability to block or disable content—this is common sense in light of take down notifications, discussed below. Courts have gone so far as to hold that the voluntary practice of limited monitoring to screen obvious infringements doesn't amount to control. However, the question of "control" can become a slippery slope, so monitor at your own risk.
  • As with caching, if the service provider receives adequate notification of infringement (including infringement that is patently obvious, regardless of whether the copyright owner has given notification), the service provider must take down the infringing content to qualify for limited liability. Although a service provider may refuse to take down content in response to a take down notice if it is clear to the service provider that the content is not infringing, the service provider loses protection under the safe harbor and must avail itself to the defenses that would cause the content to be non-infringing.

Linking to infringing content. This is in some ways the easiest safe harbor to understand. The infringing activity doesn't occur on any server, host, or system created by the service provider. Instead, the service provider provides an html link to content that is not hosted by the service provider. The qualification are thus fairly straightforward:

  • The service provider must lack knowledge of the infringement. Even if the service provider lacks actual knowledge of the infringement it may still lose its safe harbor protection if the service provider is aware of facts or circumstances that make infringement obvious. If the service provider receive knowledge of infringement, it must disable or block the link.
  • The service provider cannot receive a direct financial benefit from the infringement. However, this requirement is only applicable if the service provider has the right or ability to control infringing activity.
  • If the service provider receives notice of infringement, they must promptly remove the link.

Notification Requirements

What must a web site do when requiring notification? Below is a very rough outline of what the DMCA Notification portion of your Terms of Service should look like if you own or operate a web site that contains a forum or other mechanism that permits users to upload content:

  • Formalities: The notification must include (1) the signature of the copyright owner or a person authorized to act on behalf of the owner; (2) the notification must state that the complaining individual is authorized to do so; (3) the complaining individual must make a statement asserting that they believe in good faith that the content is infringing;
  • Identification of the copyrighted work and infringing material: The notification must link to or include copies of the copyrighted work, or otherwise appropriately describe the content. The complaining party must also link to or otherwise direct the DMCA agent to the content that infringes on the copyrighted work in question. Note that in both of these cases, the material provided must be enough for the DMCA agent to identify and locate the content.
  • Service on a designated agent: The web site MUST have a designated agent registered with the Copyright Office, and must provide the contact information for that agent.

Exercising  Caution When Sending Notifications

One important aspect of the notification requirement is a "good faith" belief that the material is infringing. Courts have found that this includes taking into account valid fair use defenses before submitting the notification. 17 U.S.C. 512(f)(2) holds complainants liable when they misrepresent an infringement. In those cases the the complainant is accountable for damages, costs, and attorneys' fees. 


Leave a Reply