Veoh: Increased Protection for Service Providers, Or a Trapdoor?

The August 2008 ruling in Io Group, Inc. v. Veoh Networks, Inc., No. C06-03926 HRL, 2008 WL 4065872, (N.D. Cal. Aug 27, 2008), has been widely heralded as a win for online service providers in the legal maelstrom surrounding social media. Veoh is an Internet TV platform, similar to YouTube, that hosts user-uploaded content. When clips from adult movies owned by Io Group appeared on Veoh's network, rather than issuing Digital Millennium Copyright Act notices to Veoh requesting that their content be removed, Io went to court with a copyright infringement suit. But Io Group lost.

A Lesson for Content Owners

For content owners, the Veoh ruling reaffirms the importance of utilizing the DMCA takedown provisions, which require sending a take-down demand notice first, rather than running straight to a judge with a copyright infringement complaint. Had Io Group issued a DMCA notice before going to court, Veoh would have been under a duty to remove or disable access to the offending material. However, Veoh was able to claim the protection of the DMCA safe harbor because, by failing to send notice of the alleged infringement, Io Group could not prove that Veoh knew or should have known about infringing activity on its site.

Protections for Service Providers

In addition to clarifying the importance of sending proper notices, perhaps the biggest win for technologists under this case is the broadening of what is protected under the DMCA '512(c) safe harbor. When users uploaded content to Veoh's service, automatic processes would generate flash copies of uploaded clips and extract full resolution screen caps, which were used to index and organize content on the site. Io Group argued that since these files were created by Veoh and that uploaders might not even be aware that they were being created, Veoh should be held liable for infringements arising out of this content. The court held that inasmuch as these files were generated to facilitate user access to material on Veoh's Web site, they did not run afoul of the law when generated automatically.

Referring to statutory language, the Veoh court found that the DMCA both contemplated and implicitly recognized that some modification to uploaded content is permitted under '512(c). The DMCA offers two distinct definitions of “service providers” that may be eligible for safe harbor protection. As applied to the so-called “conduit-only” provisions of '512(a), a service provider must operate “without modification to the content of the material.” No such limitation applies to '512(c).

Indeed, one of the stated purposes of the DMCA was to facilitate the robust development and worldwide expansion of e-commerce, communications, research, development, and education in the digital age. This holding will provide innovators with broader protection for the back-end of platforms that provide content to viewers online.

The decision also affords service providers a degree of flexibility in how they deal with repeat infringers appearing on their services. Because anyone could sign up for Veoh's service using a pseudonym and disposable e-mail address, Io Group challenged Veoh's termination policy, claiming it was impossible for Veoh to detect if a banned user simply signed up with a new account. Since the same offenders would be back on the site, Io Group argued that the termination policy was effectively useless. Beyond noting that the existence of hypothetical rogue infringers does not raise an issue of fact, the court stressed that '512(c) does not require service providers to police users by tracking IP addresses (as suggested by Io Group), or by any particular method, so long as the ends of '512 are achieved.

To do so, Veoh implemented a system that allowed it to disable access to infringing material on its users' hard drives. Veoh also made use of digital fingerprinting technology that tracked files identical to those previously determined to be infringing and blocked them from reappearing on its servers. The court applauded these efforts and highlighted that the DMCA requires reasonable, not perfect, policies.

A Trapdoor in the Ruling?

One potentially troubling aspect of the Veoh ruling is the court's analysis pursuant to '512(c)(1)(B) of the DMCA. Under this provision, a service provider will lose safe harbor protection if it receives a direct financial benefit from infringing activities taking place on its service when it has the right and ability to control such activities. In an otherwise sensible discussion of this provision, the court may have created the basis for an affirmative duty for service providers to police infringing content by blurring the line between these similarly constructed concepts.

The court's discussion began with an analysis of whether Veoh had the right and ability to control the infringing activities of its users. Io Group's position was that because Veoh conducted spot checks of video files already uploaded to its servers for infringing activity, removed content, and terminated accounts of noncompliant users, Veoh did in fact exercise such a right and ability to control infringement.

The court astutely characterized this evidence as indicating that Veoh could control its own system, rather than the infringing activities of its users. As the court observed, the DMCA presupposes that a service provider has control of its system; it requires that the service provider block access or remove content posted on its system when it receives notice of claimed infringement. Accordingly, the court elaborated that the “right and ability to control” described under the DMCA cannot simply mean the ability to block or remove user uploaded content, and that “something more” must be demonstrated.

Elaborating upon what might constitute “something more,” the court may have veered off course. In attempting to determine what might constitute control in the digital context, the court put particular emphasis onto language from a discussion of vicarious liability in A&M Records, Inc. v. Napster, 239 F.3d 1004 (9th Cir. 2001), suggesting that a “reserved right to police must be exercised to its fullest extent.” This language carries through to the court's examination of Veoh's conduct where it wrote that, “[p]erhaps most importantly, there is no indication that Veoh has failed to police its system to the fullest extent permitted by its architecture.”

While the '512(c)(1)(B) requirements have grown out of principles and language traditionally associated with vicarious copyright liability, the two bodies of law diverge in an important manner. The DMCA explicitly states in '512(m) that the DMCA should not be construed to condition the applicability of the safe harbors on a service provider actively monitoring what users put on its service or otherwise policing for infringing activity. Accordingly, this element of the court's analysis not only directly contradicts the plain language of the statute, but might also be read to place an unintended burden on service providers to police to the fullest extent their architecture makes possible. If this inconsistency is not addressed moving forward, service providers could be held to a more rigorous standard of behavior under this decision than the plain language of the statute requires.

When Congress drafted the DMCA, it recognized that the Internet was fundamentally distinct from other environments in which copyright must operate. Certain functionalities that sustain the seamless operation of the Internet rely on behaviors that, under pre-DMCA copyright analysis, would give rise to countless infringements of copyright. Thus, Congress decided to limit the liability of Internet Service Providers with respect to these functionalities, including transitory communications, system caching, information location, and the storage of files at the direction of a user. These four behaviors each received safe harbor under the DMCA. In exchange for this protection, service providers took on a duty to act affirmatively when they learned that their services are being used to violate the rights of others. Section 512(m) is one manifestation of that balancing of incentives. As long as service providers make it easy for content owners to police infringing activity on their own, the service providers should not be expected to take affirmative action to seek out, monitor, or otherwise police for infringing activity.

This shifting of the burden to content owners, however, can be counterbalanced under the same provision of the DMCA. Section 512(m)'s disclaimer of a duty to police is subject to the service provider's compliance with “standard technical measures,” defined elsewhere in the statute as measures used to protect copyrighted works that are widely available, not overly burdensome for service providers to adopt, and developed “pursuant to a broad consensus of copyright owners and service providers in an open, fair, voluntary, multi-industry standards process.” In the end, content owners may be better served spending their time, money, and efforts on coordinating such a standards process than on hauling Internet Service Providers into court.

Oddly enough, the court acknowledges that an antecedent ability to filter or pre-screen for copyrighted material is the level of control that would be considered to violate '512(c)(1)(B) under Tur v. YouTube, Inc., No. CV064436, 2007 WL 1893635 (C.D. Cal., June 20, 2007), at the outset of its analysis. This precedent is not only sufficient to support the court's conclusions, but also bookends nicely with the holding that automatically generated copies used for indexing purposes are not infringements.

Except for the possible shift to service providers of the burden to police infringement, the opinion is detailed and well-reasoned. A comprehensive analysis of the case will provide content owners and media sites alike with solid guidance moving forward. Moreover, the case underscores the consequences of drawing legal conclusions from a particular set of facts and the dangers of anything less than a thorough examination of their long-range implications.

Steven R. Masur (smasur@masur law.com) is the founding member and general manager of MasurLaw, a media and entertainment law firm where he focuses on corporate transactional and intellectual property work in the field of digital entertainment. David J. Mazur ([email protected]) is an associate at MasurLaw who specializes in intellectual property and corporate law with a particular focus on new media and Web-based businesses.

The August 2008 ruling in Io Group, Inc. v. Veoh Networks, Inc., No. C06-03926 HRL, 2008 WL 4065872, (N.D. Cal. Aug 27, 2008), has been widely heralded as a win for online service providers in the legal maelstrom surrounding social media. Veoh is an Internet TV platform, similar to YouTube, that hosts user-uploaded content. When clips from adult movies owned by Io Group appeared on Veoh's network, rather than issuing Digital Millennium Copyright Act notices to Veoh requesting that their content be removed, Io went to court with a copyright infringement suit. But Io Group lost.

A Lesson for Content Owners

For content owners, the Veoh ruling reaffirms the importance of utilizing the DMCA takedown provisions, which require sending a take-down demand notice first, rather than running straight to a judge with a copyright infringement complaint. Had Io Group issued a DMCA notice before going to court, Veoh would have been under a duty to remove or disable access to the offending material. However, Veoh was able to claim the protection of the DMCA safe harbor because, by failing to send notice of the alleged infringement, Io Group could not prove that Veoh knew or should have known about infringing activity on its site.

Protections for Service Providers

In addition to clarifying the importance of sending proper notices, perhaps the biggest win for technologists under this case is the broadening of what is protected under the DMCA '512(c) safe harbor. When users uploaded content to Veoh's service, automatic processes would generate flash copies of uploaded clips and extract full resolution screen caps, which were used to index and organize content on the site. Io Group argued that since these files were created by Veoh and that uploaders might not even be aware that they were being created, Veoh should be held liable for infringements arising out of this content. The court held that inasmuch as these files were generated to facilitate user access to material on Veoh's Web site, they did not run afoul of the law when generated automatically.

Referring to statutory language, the Veoh court found that the DMCA both contemplated and implicitly recognized that some modification to uploaded content is permitted under '512(c). The DMCA offers two distinct definitions of “service providers” that may be eligible for safe harbor protection. As applied to the so-called “conduit-only” provisions of '512(a), a service provider must operate “without modification to the content of the material.” No such limitation applies to '512(c).

Indeed, one of the stated purposes of the DMCA was to facilitate the robust development and worldwide expansion of e-commerce, communications, research, development, and education in the digital age. This holding will provide innovators with broader protection for the back-end of platforms that provide content to viewers online.

The decision also affords service providers a degree of flexibility in how they deal with repeat infringers appearing on their services. Because anyone could sign up for Veoh's service using a pseudonym and disposable e-mail address, Io Group challenged Veoh's termination policy, claiming it was impossible for Veoh to detect if a banned user simply signed up with a new account. Since the same offenders would be back on the site, Io Group argued that the termination policy was effectively useless. Beyond noting that the existence of hypothetical rogue infringers does not raise an issue of fact, the court stressed that '512(c) does not require service providers to police users by tracking IP addresses (as suggested by Io Group), or by any particular method, so long as the ends of '512 are achieved.

To do so, Veoh implemented a system that allowed it to disable access to infringing material on its users' hard drives. Veoh also made use of digital fingerprinting technology that tracked files identical to those previously determined to be infringing and blocked them from reappearing on its servers. The court applauded these efforts and highlighted that the DMCA requires reasonable, not perfect, policies.

A Trapdoor in the Ruling?

One potentially troubling aspect of the Veoh ruling is the court's analysis pursuant to '512(c)(1)(B) of the DMCA. Under this provision, a service provider will lose safe harbor protection if it receives a direct financial benefit from infringing activities taking place on its service when it has the right and ability to control such activities. In an otherwise sensible discussion of this provision, the court may have created the basis for an affirmative duty for service providers to police infringing content by blurring the line between these similarly constructed concepts.

The court's discussion began with an analysis of whether Veoh had the right and ability to control the infringing activities of its users. Io Group's position was that because Veoh conducted spot checks of video files already uploaded to its servers for infringing activity, removed content, and terminated accounts of noncompliant users, Veoh did in fact exercise such a right and ability to control infringement.

The court astutely characterized this evidence as indicating that Veoh could control its own system, rather than the infringing activities of its users. As the court observed, the DMCA presupposes that a service provider has control of its system; it requires that the service provider block access or remove content posted on its system when it receives notice of claimed infringement. Accordingly, the court elaborated that the “right and ability to control” described under the DMCA cannot simply mean the ability to block or remove user uploaded content, and that “something more” must be demonstrated.

Elaborating upon what might constitute “something more,” the court may have veered off course. In attempting to determine what might constitute control in the digital context, the court put particular emphasis onto language from a discussion of vicarious liability in A&M Records, Inc. v. Napster , 239 F.3d 1004 (9th Cir. 2001), suggesting that a “reserved right to police must be exercised to its fullest extent.” This language carries through to the court's examination of Veoh's conduct where it wrote that, “[p]erhaps most importantly, there is no indication that Veoh has failed to police its system to the fullest extent permitted by its architecture.”

While the '512(c)(1)(B) requirements have grown out of principles and language traditionally associated with vicarious copyright liability, the two bodies of law diverge in an important manner. The DMCA explicitly states in '512(m) that the DMCA should not be construed to condition the applicability of the safe harbors on a service provider actively monitoring what users put on its service or otherwise policing for infringing activity. Accordingly, this element of the court's analysis not only directly contradicts the plain language of the statute, but might also be read to place an unintended burden on service providers to police to the fullest extent their architecture makes possible. If this inconsistency is not addressed moving forward, service providers could be held to a more rigorous standard of behavior under this decision than the plain language of the statute requires.

When Congress drafted the DMCA, it recognized that the Internet was fundamentally distinct from other environments in which copyright must operate. Certain functionalities that sustain the seamless operation of the Internet rely on behaviors that, under pre-DMCA copyright analysis, would give rise to countless infringements of copyright. Thus, Congress decided to limit the liability of Internet Service Providers with respect to these functionalities, including transitory communications, system caching, information location, and the storage of files at the direction of a user. These four behaviors each received safe harbor under the DMCA. In exchange for this protection, service providers took on a duty to act affirmatively when they learned that their services are being used to violate the rights of others. Section 512(m) is one manifestation of that balancing of incentives. As long as service providers make it easy for content owners to police infringing activity on their own, the service providers should not be expected to take affirmative action to seek out, monitor, or otherwise police for infringing activity.

This shifting of the burden to content owners, however, can be counterbalanced under the same provision of the DMCA. Section 512(m)'s disclaimer of a duty to police is subject to the service provider's compliance with “standard technical measures,” defined elsewhere in the statute as measures used to protect copyrighted works that are widely available, not overly burdensome for service providers to adopt, and developed “pursuant to a broad consensus of copyright owners and service providers in an open, fair, voluntary, multi-industry standards process.” In the end, content owners may be better served spending their time, money, and efforts on coordinating such a standards process than on hauling Internet Service Providers into court.

Oddly enough, the court acknowledges that an antecedent ability to filter or pre-screen for copyrighted material is the level of control that would be considered to violate '512(c)(1)(B) under Tur v. YouTube, Inc., No. CV064436, 2007 WL 1893635 (C.D. Cal., June 20, 2007), at the outset of its analysis. This precedent is not only sufficient to support the court's conclusions, but also bookends nicely with the holding that automatically generated copies used for indexing purposes are not infringements.

Except for the possible shift to service providers of the burden to police infringement, the opinion is detailed and well-reasoned. A comprehensive analysis of the case will provide content owners and media sites alike with solid guidance moving forward. Moreover, the case underscores the consequences of drawing legal conclusions from a particular set of facts and the dangers of anything less than a thorough examination of their long-range implications.

Steven R. Masur (smasur@masur law.com) is the founding member and general manager of MasurLaw, a media and entertainment law firm where he focuses on corporate transactional and intellectual property work in the field of digital entertainment. David J. Mazur ([email protected]) is an associate at MasurLaw who specializes in intellectual property and corporate law with a particular focus on new media and Web-based businesses.