Last week’s indictment and arrest of Megaupload and seven of its execs added a strong dose of drama to an already dramatic couple of days in the copyright arena.

The US Department of Justice calls this “among the largest criminal copyright cases ever brought by the United States,” though I wouldn’t be surprised if it is actually the largest such case — I’m not aware of any larger criminal actions.1 No doubt the proceedings will be followed closely by many over the next few months.

Already, the arrest has had a sharp effect online, with other cyberlockers scaling back or shutting down altogether.

While the federal government’s action against Megaupload — which had been in the works since March 2010 (months before ICE even began its Operation In Our Sites) — will obviously have many ramifications for the future of copyright law online, I wanted to focus specifically on one of the legal issues that may be implicated in the case.

Does the DMCA apply to criminal infringement?

Perhaps the most novel legal issue that may arise during the Megaupload proceedings is whether the DMCA safe harbors provide the defendants with any defense.

As an initial matter, it seems to be an open question whether the DMCA safe harbors are available to any criminal defendant. The U.S. appears to adopt the view that they aren’t.2

The indictment notes without further explanation that “Internet providers gain a safe harbor under the DMCA from civil copyright infringement suits in the United States if they meet certain criteria [emphasis added],” although it subsequently offers reasons why the Megaupload defendants wouldn’t qualify for the defense anyway.

The language of the statute plausibly supports this view. Though it references only “infringement of copyright” — which could include both criminal and civil infringement — it merely shields service providers from “liab[ility] for monetary relief, or [in some circumstances] injunctive or other equitable relief.” This is civil lawsuit language — criminal defendants are punished with fines, not liable for monetary relief.

In addition, criminal liability would seem to preclude safe harbor protection solely as a matter of common sense. Criminal copyright infringement requires willful infringement. The DMCA safe harbor only protects service providers from liability for passive infringement. If the evidence shows that a defendant was willfully infringing copyrighted works beyond a reasonable doubt, it doesn’t seem possible that that same defendant could ever meet the requirements for safe harbor protection under the statute.

Deduplication and the DMCA

Regardless, the indictment alleges that even if the DMCA safe harbors are available to criminal defendants, the Megaupload defendants failed to satisfy the conditions for eligibility.

Among other things, Megaupload used deduplication, a common technical process used by online services to reduce the amount of storage needed for data. In Capitol Records v. MP3Tunes, Capitol argued that a similar process made the defendant liable for public performances of sound recordings, but the Southern District Court of New York disagreed, calling it a “standard data compression algorithm that eliminates redundant digital data” that didn’t give rise to liability.

It was a small win for MP3Tunes, however, since the court held that its failure to remove the actual files stored on its service when it received a DMCA takedown notice, rather than just links to the files, disqualified it from safe harbor protection.

The indictment alleges that Megaupload operated much the same way. When a user uploads a file already present on the system, “the system provides a new and unique URL link to the new user that is pointed to the original file already present on the server. If there is more than one URL link to a file, then any attempt by the copyright holder to terminate access to the file using the Abuse Tool or other DMCA takedown request will fail because the additional access links will continue to be available.”

If the Eastern District of Virginia follows the same reasoning as the MP3Tunes court, this doesn’t necessarily mean Megaupload is ultimately liable, but it would mean that it wouldn’t be protected by the DMCA.

I don’t know for certain how big a role the DMCA safe harbor will play in the case; only time will tell. But I’ll definitely be keeping a close eye on the legal developments of what promises to be a watershed moment in copyright history.


  1. The closest seems to be Operation Safehaven in 2003. []
  2. The U.S. is not alone in adopting this view. See, for example, Eric Goldman, A Road to No Warez, 82 Or. L. Rev. 369, 425 (2003), “In the DMCA, Congress putatively provided some facilitators a safe harbor from civil liability for user-caused infringement [emphasis added].” []


  1. Pieter Hulshoff

    The indictment alleges that Megaupload operated much the same way. When a user uploads a file already present on the system, “the system provides a new and unique URL link to the new user that is pointed to the original file already present on the server. If there is more than one URL link to a file, then any attempt by the copyright holder to terminate access to the file using the Abuse Tool or other DMCA takedown request will fail because the additional access links will continue to be available.”

    Copyright does however give the problem here that certain uses of a copy may be illegal, while others are not. Consider the following situation:
    1. Person A uploads a song for personal (fair) use only (it’s a file locker after all).
    2. Person B uploads the same song, but gives out the link to others for download.
    3. The rights holder uploads the same song for promotional purposes (see Viacom vs YouTube).

    The 2nd link will most likely get a DMCA notice. If the file is removed along with link 2, person A and the rights holder are left without their legal use of the same song. What are the legal implications here in your opinion?

    • Megaupload did everything possible to circumvent the intent of the DMCA “safe harbor.” It’s common knowledge among the piracy crowd that infringing files were not removed, only links. I I myself have documented instances where disabled links were replaced within 30 seconds by a new link to the identicial (original) file on Megaupload. Everyone knew the workarounds and how to generate multiple links for their infringing files. There are websites that would assist in this effort. The files in question were not intended for personal use, but “shared” on forums and blogs in order to increase the number of downloads (and rewards for uploader).

      The DMCA works for small cases of copyright infringement with websites that respect the law. The problem is that the majority of cyber locker websites do (did) not. The Megaupload indictment provides a useful glimpse into how (and why) these sites operate. Watching them scatter into the shadows only confirms the fact their businesses were, in fact, criminal enterprises.

      With all the attention paid to SOPA etc. it would be nice to see Congress review the DMCA, and possibly revise the “safe harbor” provision in order to make it more difficult for cyber-thieves to plead ignorance, despite clear evidence to the contrary.

      • Really well said, KD. Thanks

      • While I don’t dispute that, it will be interesting to see how exactly MegaUpload differs in that regard from RapidShare, which after all won its case in the US courts. Putting the shadiness of MU management aside, my question remains: from a legal perspective, what is the impact of the situation I described?

      • Pieter Hulshoff sez…
        “I myself have documented instances where disabled links were replaced within 30 seconds by a new link to the identicial (original) file on Megaupload.”

        How were you made aware of “new” links…within 30 seconds?
        Did MegaUpload notify you?
        Was it tracking software of some kind?
        Please provide one of the “documented instances” you mention, it sounds fascinating!

        • My apologies
          It was “KD” who posted the claim…
          “I myself have documented instances where disabled links were replaced within 30 seconds by a new link to the identicial (original) file on Megaupload.”
          not Pieter.
          My bad.

        • Torrent Assasin

          I have likewise recorded this deduplication on which reassigns a unique 4 digit number preceding the hash of any given torrent file. When I send a DMCA takedown for one URL (even demanding that the hash itself be blocked from further propagation) the same exact file is posted again within minutes under a different URL, despite that the filenames are the exact same and the actual torrent is the same, as well as the same title of the copyrighted content. In fact, when this was brought to the attention of officials in Canada, they moved to arrest the owner of BTJUNKIE, who fled the country the same day. I intend to remind the Canadian police of this fact and will urge them to liaison with the FBI to bring in the site owner.

    • Good question. Likely little legal effect on Megaupload. As MP3Tunes suggests, MU would need to remove the actual file rather than individual links to the file to qualify for the DMCA safe harbor. However, it’s possible that it could face liability from its users for taking down content. The DMCA grants immunity from liability for service providers taking down content uploaded by subscribers, provided they notify the subscriber. In cases like this, where the data is deduplicated, I read that as requiring MU to notify each and every user who would find their content removed — in which case users who have a right to copy the content to the service could submit a counternotification, requiring MU to replace the material within 14 days or face possible contractual liability. But even if they fail to do that, a user would probably not have recourse: MU expressly waives all warranties to its service and its terms of use reserve broad rights to remove access to any content uploaded to its servers.

      In the alternative, MU could operate without relying on DMCA safe harbors. As I noted above, qualification for safe harbors is independent of the question of ultimate liability for copyright infringement. Under contributory copyright infringement doctrine, once a service has knowledge that a particular use of a work is infringing, it can be held liable if it fails to act to prevent future such infringing acts. If MU wanted to operate both within the law and in a way that kept as much content on its servers as legally possible, it would be incumbent upon MU to investigate the legaility of other users’ rights to content identified in a notification.

      • Then why do rights-holders have to send multiple DMCA notices for the same infringing material? If Genesis issues a takedown that says ” ‘Genesis- The Lamb Lies Down on Broadway’ is not allowed here”, why are the cyberlockers allowed to keep posting links with material titled as such?

        • I don’t think right holds have to send multiple DMCAs. But you do have to word the notice carefully.

          Title 2, § 512.c.3.A.ii) Elements of Notification – Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a *representative* list of such works at that site.

          At which point, I think Terry’s right in that a site operating within bounds would have to notify every user that is affected for counter notices.

          The management’s attitude and emails also seems to unshield them from the information location tool safe harbor provision in § 512.d. It’s probably why so much effort was involved in getting those emails.

  2. The DMCA won’t protect Megaupload. First of all, the DMCA does not give safe harbor to direct infringers, whether civil or criminal, so there’s no protection for the direct infringement charge. Nor does the DMCA provide any immunity for the conspiracy charge. The only charge it could conceivably be useful for is the aiding and abetting charge, and even there it won’t work. The DMCA safe harbors simply codify existing common law secondary liability principles. In general, if a service provider is liable for secondary infringement (like, say, contributory infringement), then the safe harbor doesn’t protect them and they get no immunity under the DMCA.

    However, Megaupload isn’t being charged with simple common law secondary infringement (either contributory or inducement), which are tort standards (and the DMCA safe harbors clearly were drafted as tort standards). They’re being charged with aiding and abetting criminal copyright infringement, which is a criminal law standard. Common law principles of accomplice liability control the inquiry.

    The prosecution, in showing that Kim Dotcom et al. are complicitors, will have to prove above and beyond what’s required to show that they’re simply secondary infringers. In other words, by proving that they’re aiders and abettors, the prosecution will necessarily have shown that they wouldn’t have qualified for the safe harbors in the first place–secondary infringers don’t get the safe harbors and all aiders and abettors are necessarily secondary infringers.

  3. I can find no conceivable way to read the DMCA to immunize criminal behavior. Clearly it is in the complaint to show (1) wilfullness and (2) to head off any DMCA defense before it’s raised. I will point out, however, that there is one interesting aspect to the DMCA issue. 512(c)(1) says that a service provider, under the circumstances listed, will not be subject to, among other things, “monetary relief.” “Monetary relief” is defined in (k)(2) as, among others, “any other form of monetary payment.” The indictment contains a long list of property it asks the court to forfeit. However, there is also a prayer for “a money judgment …equal to the total value of the property subject to forfeiture, which is at least $175,000,000.”

    Is such a prayer for relief, in the form of a judgment resulting from a criminal conviction requiring the defendant to pay money, “any other form of monetary payment” for purposes of the DMCA? And might the statute prevent a criminal judge from ordering that money judgment?

    • As long as Megaupload doesn’t get the safe harbors under the DMCA (which they don’t), then they don’t get that particular benefit of being free from liability from monetary relief.

      It seems clear from the indictment that Megaupload induces infringement, and a service provider that induces infringement doesn’t get DMCA safe harbors: “In other words, inducement liability and the Digital Millennium Copyright Act safe harbors are inherently contradictory. Inducement liability is based on active bad faith conduct aimed at promoting infringement; the statutory safe harbors are based on passive good faith conduct aimed at operating a legitimate internet business. Here, as discussed supra, Defendants are liable for inducement. There is no safe harbor for such conduct. Accordingly, Defendants are not entitled to the affirmative defenses provided by the Digital Millennium Copyright Act.” Columbia Pictures Indus., Inc. v. Fung, 2009 WL 6355911 (C.D. Cal. Dec. 21, 2009).

  4. Pingback: Megaupload’s Duplicate Links Do-si-do Around the DMCA | Pop Up Pirates

  5. Well, here’s an example of how Megaupload did just what’s outlined in the indictment, or at least made it possible (by not deleting files)

  6. Megaupload is not a service provider under 17 USC § 512(k)(1)(B). Neither is YouTube. In fact, you will find that there is a ton of evidence available that proves that YouTube allows downloading of all their files, knowingly, establishing Grokster and Playboy vs. Frena (1993 FL)

    As for case-law that negates the status of 17 USC § 512(k)(1)(B) for companies like Megaupload, YouTube, even Google., the judges omitted the second part of the definition which says “and includes an entity as described in subparagraph(A)” (which is 17 USC § 512(k)(1)(A), the unconditional inclusion to be defined as the singular definition to secure an exclusive right. In other words, what protects entities like a phone-company in 17 USC § 512(k)(1)(A), simply protects an ISP like EarthLink in 17 USC § 512(k)(1)(B) to expand their business, yet still require a telephone company to access them. Google and YouTube do not provide either A or B.

    Case-law that grant the service provider status simply had plaintiffs cart-blanche give the definition to the defendants. Nearly insane. Examples are Hendrickson vs. Ebay, Perfect 10 vs CC Bill (but the service provider provision was REMANDED in the appellate case, doesn’t anyone know this?), Io vs, Veoh, UMG vs Veoh, etc. Other case law has decisions that puts “and includes” outside of the quotes to assume that there is a dual definition inside 17 USC § 512(k)(1)(B). But the legislative material clears that this is a single definition, that Internet Access only grants the qualification. For Yahoo Directories, Yahoo was a code-sharing ISP with telephone companies.

    Read the published book “HR-2281: And Then the DMCA Didn’t Apply on the Earth (Viacom vs. Google)” on Amazon and the Amazon Kindle. An amazing argument against 17 USC § 512(k)(1)(B) by the author. He knit-picked everything, and has been contacting Bloomberg for years on this and they do not even respond to him. He has bent all the way over for Viacom’s argument because computer science is involved, and it no one understand that, they come up with inaccurate arguments that Google and all these online internet companies are laughing their asses off.

    In fact, look at what YouTube did to Prince in that book, dishing out DMCA provisions to him, an exclusive right owner of his own copyrights, while YouTube collected and drew demand from him. The document is Kohlmann #01.

    Disgusting. All of this has collapsed the economy itself, and Eric Schmidt is laughing at all the stupidity, destroying those that know it correctly.

  7. Pingback: Megaupload takedown creates trouble for users and cyberlocker community at The MTTLR Blog

  8. Pingback: Mega Conspiracy: Kim Dotcom, SOPA and capitalism « Workers Party (NZ)

  9. Pingback: Megaupload Dance around the DMCA - Peace, Love & Apple Pie | Peace, Love & Apple Pie