Copyright Office Gratuitously Kills the DMCA Safe Harbor For Thousands of Websites

This story has been like watching a train wreck in slow motion. In 2011 (yes, over 5 years ago), the Copyright Office announced that it was going to transition the designation of DMCA safe harbor agents from paper to electronic. The current paper-based system has been archaic since the beginning, so creating an electronic database is long overdue.

However, the transition raised the question of what would happen to the legacy registrations. Obviously the Copyright Office could scan them and feed them into the new electronic database, but that would cost some money (the Final Rule complains about the cost but doesn’t provide a number). Plus, the Copyright Office said that its initial interim rules indicated that reregistration would be required. So the Copyright Office proposed requiring all existing registrants to reregister or THEY WILL LOSE THE DMCA SAFE HARBOR.

If that isn’t troubling enough, the Copyright Office also proposed to require all registrants to re-register every 2 years–again at the peril of losing the DMCA Safe Harbor if the sites fail to do so. The EFF, Jason Schultz and I submitted comments asking about how this solves any problem that needs solving. It’s not like digital data is milk that turns sour if you leave it on the counter overnight. The Copyright Office groused about outdated data in its database, but so what? That problem naturally self-corrects because outdated info will cause service providers to miss official takedown notices and lose the safe harbor anyway. But if the data hasn’t changed over the years, then there is absolutely zero benefit to requiring the reregistration.

Well, there is one minor benefit: the stream of reregistration fees flowing to the Copyright Office. We argued that DMCA safe harbor registrants categorically would prefer to pay larger upfront fees than be required to pay ongoing fees at the risk of their safe harbor status. The Final Rule responds that the Copyright Office thinks it’s “fairer” to service providers to spread out the payments (because, I guess, safe harbor forfeiture is “fair”?).

Instead, the only real “benefit” of requiring reregistration is that some well-meaning websites will inadvertently lose the safe harbor, making it easier for copyright owners to successfully sue them in court. In other words, the substantive “benefits” from this procedural change will accrue solely to copyright owners. What a shock.

In May of this year–after 5 years of silence–the Copyright Office issued a new NPRM. It was pitched as good news because the designation fees were going to be reduced substantially. However, the Copyright Office indicated they still planned to toss existing registrants overboard and require periodic renewals. The EFF, Rebecca Tushnet and I again told them this was stupid.

You know where this is going. Today the Copyright Office issued its Final Rule, and guess what? The final rule (to be codified at 37 CFR Part 201) terminates all existing DMCA agent designations on December 31, 2017–what it describes as a “generous” transition period that will be coupled with “public outreach efforts” that I’m sure will be compelling, comprehensive and highly effective. The Final Rule also requires reregistrations every 3 years to maintain the designation (the extra year–3 years rather than 2–is the office’s “concession” to the multitudinous objections about reregistration).

The Final Rule is as much a sales document as a government analysis. It clearly contemplates litigation challenges over the Copyright Office’s authority, and it tries to persuade us that its policy conclusions aren’t as stupid as they seem to be.

The Final Rule first tries to explain why it’s willing to throw thousands of websites out of the DMCA safe harbor in the quest for more accurate database info. For example, it says (footnotes omitted):

Because providing inaccurate or outdated information can be functionally equivalent to not designating an agent, it follows that just as designating an agent is a prerequisite for obtaining safe harbor protection, keeping that designation current and accurate must be an ongoing prerequisite as well.

Holy nonsequitur! As I mentioned, if info is outdated, then the safe harbor is functionally lost because the copyright owner will satisfy the statutory requirement but the notice will bounce or not be received. And of course, the safe harbors are voluntary, so websites aren’t required to accept or honor NOCIs even if received.

In further support of the data corruption problem, the Final Rule also discusses an empirical study apparently conducted by the Copyright Office. They sampled 500 registrations and found that 110 (22%) service providers were defunct and another 48% had outdated info based on a comparison with the website’s on-site disclosures. Of the latter group, the report said 20 of the 500 registrations didn’t disclose contact info on the site at all, which means those sites already lost the DMCA safe harbor for failing to comply with a different safe harbor requirement. Of the remaining 370 reviewed sites,

241 (approximately 65%) were out of date, as evidenced by the fact that one or more of the telephone number, physical mail address, or email address listed for a designated agent did not match the contact information on the corresponding service provider’s website

FFS. Did the Copyright Office consider that service providers might offer copyright owners MULTIPLE ways to provide legitimate notice? The statute doesn’t require the onsite disclosures to mirror the contact info in the Copyright Office’s designation; and in fact it’s likely that many registrants updated their contact procedures over time but saw no reason to pay the Copyright Office to amend the existing designation–ESPECIALLY IF THEY DIDN’T DEPRECATE THE PRIOR CONTACT MECHANISMS. So treating data inconsistencies as errors is obviously and disgustingly intellectually dishonest. TERRIBLE.

(Hey Copyright Office, if you’re going to try to pawn off BS studies on the public, please publicly release the dataset so we can independently assess it. But any independent assessment will almost certainly expose further gaping holes in the research…).

Predicated on this BS research conclusion, the Copyright Office concludes:

As this analysis shows, the apparent volume of designations in the Office’s directory belonging to defunct service providers or containing inaccurate information is extremely high. These findings are particularly concerning because they show that service providers might unwittingly be losing the protection of the safe harbors in section 512 by forgetting to maintain complete, accurate, and up-to-date information with the Copyright Office. These findings are also concerning because the directory in many cases would seem to be an unreliable resource, at best, to identify or obtain contact information for a particular service provider’s designated agent.

If registrants are truly “forgetting” to maintain their information, perhaps the Copyright Office could provide the public function of sending reminders? And if they are truly “forgetting,” isn’t that evidence that many otherwise-well-meaning websites are likely to forget to make the renewal/reregistration and lose the DMCA safe harbor inadvertently?

With a self-congratulatory pat on the back, the report says that it made renewal easy:

Renewal—which will initially cost a mere $6, take minutes to complete, and need only be attended to when information has changed or once every three years—should be a manageable proposition for even the smallest of service providers.

Manageable? Sure. But is the remedy for non-renewal proportionate to the consequences? NFW.

Indeed, the Copyright Office says it can–and will–send reminder notices to service providers (footnotes omitted):

To alleviate any concern that a service provider may accidentally forget to renew its designation during the three-year period, the online registration system will automatically generate a series of reminder emails well in advance of the renewal deadline to every email address associated with the service provider in the system (including the primary and secondary account contacts, the service provider, and the designated agent)….If, after those multiple reminders, a service provider fails to renew its designation, it can hardly be said to have let its designation lapse unwittingly. In addition, given that service providers already routinely manage an array of other recurring obligations that are integral to their businesses—including business licenses, software licenses, trademarks, web hosting, leases on web domain names, real estate leases, and insurance policies—the Office cannot see how such a renewal requirement could be viewed as excessively burdensome.

Will a few emails from the Copyright Office–demanding more money at the threat of the loss of legal rights–eliminate the risk of any accidental non-renewals? After all, businesses routinely get fraudulent spam with the same basic pitch.

And when the Copyright Office disingenuously says the renewal requirement “should in many cases actually assist service providers in retaining their safe harbor, rather than serving to deprive them of it,” it mockably conflates its ability to communicate helpful information to registrants with draconian substantive policy effects. Here’s an alternative: send out the reminder notices but don’t make the consequences of non-renewal COMPLETE FORFEITURE OF THE DMCA SAFE HARBORS. Similarly, the analogies to other recurring obligations, like business licenses, ignore (1) the frequently less draconian consequences of non-compliance, and (2) the reality that many of these recurring obligations are nevertheless frequently mismanaged by both big and small companies.

The Copyright Office responds to these arguments:

the Office believes that requiring service providers to actively review and either amend or resubmit their information is much more likely to lead to current and accurate information in the directory. In addition, simply sending out reminders would not help clear out defunct service providers from the system.

It’s true that draconian penalties often lead to greater compliance; but when the penalties are disproportionate to the transgression, they breed disrespect for the entire governance system. And, of course, the service providers already have incentives to maintain current information because of the risk of misdirected NOCIs.

To “help” service providers, the Copyright Office says they can reinstate lapsed registrations by paying the fee. But the Copyright Office will publicly display the periods when the registration lapsed, giving a useful roadmap to copyright owners who can easily just sue for the lapsed time period. So the public disclosure of the lapsed period will make a super “SUE HERE” flag for litigious copyright owners, helpfully provided as a public “service” by the Copyright Office.

Two other nits:

* the rules make it virtually impossible to use a PO Box as the publicly available mailing address. Even if they run their business out of their home, service providers can display a PO Box so only by making a special and time-consuming petition to the Copyright Office that shows “there is a demonstrable threat to an individual’s personal safety or security, such that it may be dangerous to publicly publish a street address where such individual can be located.” I don’t think the Copyright Office showed sufficient sensitivity to the privacy interests of people who work at home.

* the rule says “service providers must list all alternate names that the public would be likely to use to search for the service provider’s designated agent in the directory.” In the past, the rule has been that service providers got DMCA coverage only for the names/aliases they listed. Will copyright owners now be able to challenge an otherwise successful registration by arguing that the registration omitted brands/domain names that were “likely” to be searched? Or can copyright owners argue that service providers committed fraud on the Copyright Office by omitting brand/domain names? The rule’s overexpansive compulsion seems to give copyright owners a new attack vector in litigation.

Where Do We Go From Here?

The DMCA safe harbor is already progressively dying a slow death in the courts, so we have to view the Copyright Office’s move in the context of this broader and troubling trend. Even if we fix the Copyright Office’s mistake, we won’t change the overall trendlines.

Still, I see three primary ways to fix this mistake:

* have the Copyright Office reconsider this move. With Pallante’s departure, this seems more likely than it would have been otherwise, but I don’t see this happening quickly or without external pressure.
* sue over the Copyright Office’s authority to issue this rule. I’ll defer to the litigators about the likelihood of a litigation challenge succeeding. As I mentioned, the Copyright Office clearly anticipated such a challenge and repeatedly tried to prove its authority in the report.
* get Congress to override this rule. As we’ve lamented many times, if Congress ever revisits 512, it will almost certainly end up worse for defendants. So Congressional intervention is a nuclear option which almost certainly will have substantial collateral damage.

Given the unappealing nature of these options, I fear we’re going to be stuck with the Copyright Office’s rule. Sadly, this means we’re likely to see a growth of secondary copyright infringement cases not based on the DMCA, something we’ve seen occasionally to date. Fortunately, these cases have not always been a disaster for the service providers, especially if the sites have a working notice-and-takedown mechanism. Still, the DMCA was put in place for good reasons, and it’s sad to see the Copyright Office eviscerate it based on junk empirics, low-value policy considerations, condescension about the unnecessary burdens it’s placing on service providers, and a lack of proportionality between transgression and penalty.