Megaupload Details Raise Significant Concerns About What DOJ Considers Evidence Of Criminal Behavior
from the bad-cases-and-bad-law dept
Yesterday I wrote up a first reaction to the Megaupload case. Having spent some more time going through the indictment in much greater detail, I have some more thoughts and concerns.
First, it’s important to acknowledge that the founder of Megaupload, who goes by Kim Dotcom, has a long history of
flaunting flouting the law in a variety of ways. That makes him quite unsympathetic in a court. On top of that, there are certain claims in the indictment that, if true, mean it’s quite likely that he broke the law. Whether or not the violations amount to racketeering & conspiracy is beyond any analysis that we’re going to be able to do here. I would say that I would not be at all surprised if he’s found guilty.
Where my concerns come in is in some of the “evidence” that’s used to add to the overall indictment. To be clear, in a case like this, the issue is the evidence as a whole, combined to show intent and a general pattern to actions. So the allegations in the indictment don’t necessarily mean that any individual action is, by itself, illegal. But, I still worry that some of the specific actions used to paint this picture are (1) potentially taken out of context, (2) are presented in a way that likely misrepresents the actual situation and (3) could come back to haunt other online services who are providing perfectly legitimate services.
- For example, the indictment points out that Megaupload did not have a site search, by which users could find material. That’s interesting, but it seems like an odd piece of information in making the case. Other copyright cases have specifically found that having a search engine is part of an inducement claim — so there’s an argument that the idea not to have a search engine wasn’t so much “conspiracy,” as it was an attempt to follow the guidance of the court and to stay legal. To use the lack of a feature, that previously was shown to be a problem, as evidence of a conspiracy is crazy. Damned if you do, damned if you don’t.
- Separately, the indictment lists various feature choices as part of making its case. There is, for example, the fact that if certain files aren’t downloaded in a certain amount of time, then they are deleted. The indictment presents this as evidence that the service is mainly for infringement, because it potentially precludes the idea that the site is used for long-term backup. Of course, that falsely assumes that long-term backup is the only legitimate use of a cyberlocker. But that might not be the case at all. The service could (and is) used to just distribute large files in a directed, short-term effort. If anything, the fact that files are deleted after they’re done being shared highlights a key legal function of the site: it was used by people to exchange large files once or twice, since they’re too big to share via email attachment.
On top of that, other, legitimate, sites have similar policies. The popular image hosting site Imgur does the same thing: if people don’t access an image for an extended period of time, Imgur may delete it. That’s not because it’s encouraging infringement, but because it knows that the service is being used for short-term distribution.
- There is also the question of paying certain uploaders. However, there does seem to be a bit of a stretch in assuming that because some uploaders get lots of downloads by posting infringing content, all such “paid” users must be putting up infringing works. There are plenty of viral videos that are quite popular not because of infringement. In fact, much of this seems to be based on the simple assumption that encouraging more usage means they must be encouraging infringement. It’s entirely possible that Dotcom did encourage infringement, but it feels like there should be more actual evidence of that, rather than pasting together a bunch of claims that could be interpreted in legitimate ways. Paying users for popularity is not, and should not, be evidence of criminality, or even infringement.
- There is also the claim that, while the company did remove some works upon takedown notice, it merely removed one link to the work, but left up other links. The issue here, as noted elsewhere in the indictment, is that Megaupload has a system for de-duplication — so that if multiple people uploaded the same file, it only kept one version, but made it available at a different link for each person. This is the same sort of thing that lots of legitimate sites do, including Dropbox. The question, then, is if you do something like that with a locker service, and keep a single file, accessible through multiple locker links, what do you do if you get a takedown? This is still somewhat of an open question — and was one of the points raised (in a civil copyright infringement context, which is very different) in the EMI vs. MP3tunes case. In that case, the company was told that it did, in fact, have to delete the actual file. But that raises other questions. Let’s present a hypothetical: what if infringer A and authorized distributor B both upload the same file. The system de-dupes and uses a single file for each to access. Now, the copyright holder discovers A’s version, and issues a takedown. It will automatically take down B’s authorized work as well — even though that copy was not infringing. Or… what if someone uploads a copy, but for their own personal use to access remotely, but never shares the link? In that case, no infringement is occurring… but DOJ seems to claim that the site would have to delete the file anyway, or there may be criminal risk. That’s crazy.
- The complaint argues that because Megaupload’s “top 100” list does not actually list the top 100 downloads on the site, this is more evidence of conspiracy. The issue here is that the list apparently removes files that are likely infringing. But… again, in other cases (like the IsoHunt case) such lists were also seen as proof of inducement. So, again it’s a damned if you do, damned if you don’t situation. If Megaupload’s list showed infringing works, then they’d be charged with inducement… but removing them from the list makes them guilty of conspiracy?
- In addition, the indictment shows that, despite the company not being a US company, it did set up a DMCA agent, a tool to make removing files easier, and did take down works on request. There are some reasonable questions about if it ignored some takedown messages (likely) and the fact that it put limits on how many takedowns could be done per day with its tool. Those certainly work against the company in terms of retaining any DMCA safe harbors. Similarly, there is some evidence that the owners of the site may have uploaded infringing files themselves — which, again, has no DMCA protections.
- The indictment points out that Megaupload used its hashing system to maintain a list of known child porn and block those files from being re-uploaded. The problem here is that copyright is different than child porn. Child porn is a strict liability issue: it is always illegal. There are no extenuating circumstances. But copyrighted content is different. It could be authorized. It could be fair use. And that depends on the specific use, not the file. So using a hash system there doesn’t make sense, whereas it can make sense for child porn.
- The indictment also lists all sorts of emails, some of which are more damaging than others, but some of which may be taken out of context. All of them seem to assume that Megaupload employees can easily tell, often just by file name, what’s infringing and what’s not. I think this is an assumption that many people who don’t understand copyright law make. And while you can guess… it’s not always so easy. The recording industry, for example, regularly uses cyberlockers as a legitimate way to distribute promo copies. How would Megaupload know if certain files were legit or not, without further details? Yes, there’s obvious infringement happening on the site, but will Megaupload always know which specific files are infringing?
- The indictment discusses demands from Universal Music that Megaupload would need to meet before UMG would even discuss a potential license. This included: “proactive fingerprint filtering to ensure that there is no infringing music content hosted on its service; proactive text filtering for pre-release titles that may not appear in fingerprint databases at an early stage; terminate the accounts of users that repeatedly infringe copyright; limit the number of possible downloads from each file; process right holder take down notices faster and more efficiently.” While the DMCA does require action against repeat infringers, there are no legal requirements for the other issues. It’s not clear why that should be evidence here. The fact that Megaupload didn’t go above and beyond what the law requires shouldn’t be seen as evidence of wrongdoing…
- Many of the emails discuss the fact that, in general, there are infringing works on the site. Yeah, but that’s the same issue in the YouTube case and other cases. General knowledge that your tool is used for infringement is kind of meaningless, because you can’t take works down if you don’t know what’s actually infringing.
- Money laundering claims are tricky and perhaps there was some “money laundering” going on here, but this indictment seems to include basic payments to Megaupload’s hosting companies. Using payments to companies for hosting as evidence of money laundering seems pretty extreme, and suggests the possibility that this is just a “lumping in” situation, just to pile on more things that look bad, but aren’t illegal by themselves.
Do these kinds of things work together to paint a picture of the company encouraging infringement? It’s certainly possible that a court will add up a bunch of things like this and insist that’s true. My fear is that, at least with some of these points, there are perfectly reasonable, non-infringing contexts for them. Then, what I worry about, is that in later cases, these types of things are used as “evidence” against companies and services that are legit. Even worse, there’s a real worry that it creates chilling effects for lots of legitimate services who do things like de-duplification, or have legitimate backup services. If you’re running Amazon S3 or Dropbox, do you now suddenly change how you do business, just to avoid the possibility of being accused of racketeering and criminal copyright infringement? That’s worrisome.
But the bigger overall issue is why this action and why now? Companies in the US have filed civil cases against Megaupload in the US and the company was willing to come to the US and deal in US courts. Taking it up to a criminal “conspiracy” and racketeering charge seems like overkill, with tremendous collateral damage and chilling effects.