Internet Access Providers Aren’t Bound by DMCA Unmasking Subpoenas–In re Cox

The DMCA online safe harbor is a notice-and-takedown scheme. Web hosts aren’t liable for copyright-infringing third-party uploads unless and until the copyright owner submits a proper takedown notice to the host, at which point the web host can remain legally protected by expeditiously removing the targeted item. By taking web hosts out of the liability chain, the DMCA nominally keeps any infringement disputes being between the uploader and the copyright owner.

To help copyright owners sue anonymous or pseudonymous uploaders, the DMCA provides a procedural fast lane to expedite infringer identifications. 512(h) says that copyright owners can request unmasking subpoeanas of allegedly infringing uploaders simply by requesting the subpoena from a court clerk, rather than pursuing the more time-consuming and expensive process of suing a John Doe and then asking the judge for a subpoena. 512(h) is an artifact of a different time. Knowing what we know now, 512(h) raises obvious concerns about copyright owner ,misuse and uploader privacy risks.

The DMCA handles Internet access providers (IAPs) differently because they don’t “host” any content. As the court says, “a § 512(a) service provider cannot participate in the notice and takedown process, because there is nothing for a § 512(a) service provider to take down.”

Instead, 512(a) provides IAPs with a blanket immunity from copyright infringement when acting in their roles as IAPs, with a huge caveat. The DMCA still requires IAPs to “terminate repeat infringers” to remain eligible for the DMCA safe harbor, which IAPs don’t want to do. They don’t want to lose paying customers, but also, termination of an IAP’s account is materially different than termination of a web hosting account. Losing hosting services kicks the uploader off part of the Internet–bad enough–but losing Internet access kicks the uploader off the entire Internet. That may be a consequence disproportionate to the legal violation, especially when imposed without court supervision or any due process. The Supreme Court will review the interplay between copyright owner takedown notices and IAPs’ liability for uploader-caused copyright infringement in the pending Cox v. Sony case.

Today’s case involves users of BitTorrent. BitTorrent doesn’t conform to the standard DMCA paradigm because it splits the hosting of an allegedly infringing file across a wide number of users, so a 512(c)(3) takedown notice to a BitTorrent “host” doesn’t redress any infringement. As a result, copyright owners have pressured IAPs to act as their copyright cops, including terminating subscribers who repeatedly use BitTorrent.

In addition, copyright owners have requested 512(h) subpoenas from IAPs to identify and sue alleged subscriber-infringers. In this case, a copyright owner requested and obtained (just by asking the court clerk) a 512(h) subpoena to unmask 29 Cox users who allegedly participated in the infringement of the movie Fall. Cox notified the 29 users that their identity would be unmasked; 28 didn’t respond. (Cox didn’t have to give this notice to users; it could have simply forked over the requested information straightaway). One user did object to the 512(h) subpoena in court (he claims any alleged infringement was because he left his wi-fi router open without password protection), and that leads to this Ninth Circuit opinion.

The court says that copyright owners can never send proper 512(c)(3) takedown notices to IAPs because the 512(c)(3) notices must specify the location of the item that it wants taken down–an impossibility if the IAP isn’t hosting the item:

[an IAP] cannot “remove” or “disable access to” any infringing content those subscribers might share, because there is nothing for the § 512(a) service provider to remove. Without the ability to provide a valid (c)(3)(A) notification to § 512(a) service providers, copyright holders cannot satisfy the requirements for issuance of a § 512(h) subpoena….[the] statutory text confirms that a § 512(a) service provider is not a contemplated recipient of a proper (c)(3)(A) notification. For these reasons, the DMCA does not permit a § 512(h) subpoena to issue to a § 512(a) service provider.

This is not a new conclusion. The DC Circuit (the Verizon case) and Eighth Circuit (the Charter case) reached the same conclusion 20 years ago.

[Note: this raise the obvious question–why are copyright owners still making 512(h) requests that multiple appellate courts declared illegitimate a generation ago? You and I both know the answers: (1) most IAPs honor the 512(h) subpoenas, and (2) copyright owners relentlessly undermine every aspect of the DMCA statute.]

The copyright owner tendered an “expert” report that IAPs can disable access to targeted items using destination null routing and port blocking. The court says that even if this were true, it doesn’t satisfy the statute:

an ISP can use these methods only to prevent its own subscribers (and not subscribers of other ISPs) from reaching destination IP addresses containing infringing material or using ports that commonly route infringing material. In other words, an ISP cannot “disable access” to infringing material via port blocking or destination null routing; it can only disable its subscribers’ access to infringing material. Capstone points to nothing in the text or legislative history of § 512 suggesting that Congress contemplated such a piecemeal application of the notice and takedown procedure.

In other words, the DMCA contemplated that “disabling access” to an infringing file meant stopping the hosting of that file. Because IAPs aren’t hosting an uploader’s file, any other remedial interventions don’t satisfy the statute.

[Note: this opinion includes an incredibly rare discussion of 512(e), the oft-overlooked safe harbor for educational institutions hosting faculty uploads. I am not aware of any litigation directly involving 512(e) ever.]

The court reiterates its clear and unambiguous holding: “the DMCA does not permit a § 512(h) subpoena to issue to a § 512(a) service provider.”

To get around this, the copyright owner argued that Cox was “linking” to infringing material, so the copyright owner could negate Cox’s 512(d) safe harbor through its takedown notice. The court rejects this as a technical matter, saying

Connecting a user to the Internet and assigning the user an IP address does not “link” or “refer” the user anywhere, much less to a particular location containing infringing material.

Thus, it didn’t matter that the copyright owner showed that Cox offered hosting services when those services weren’t implicated by the takedown notices.

Implications

I imagine the copyright owners will appeal this ruling to the Supreme Court. However, the Cox v. Sony case could moot this entirely if it provides a clean bill of copyright health to the IAPs.

For now, it’s hard to assess the significance of this ruling given that the legal questions were fully vetted and seemingly resolved over 20 years ago. Maybe now copyright owners will believe it more given that the Ninth Circuit has spoken?

This ruling reinforces that court clerks should not issue 512(h) subpoenas targeting IAPs for their 512(a)-immunized functions. But how does a clerk know if the requested subpoena targets 512(a) or 512(c)/512(d) functions? The 512(c)(3) notices may not make this clear, and it would require court clerks to investigate and evaluate the substance of the subpoena request–essentially, to make a determination about what the 512(h) subpoeana targets. However, the clerk’s role is not to make legal judgments; that’s a judge’s job. In other words, 512(h) routinely, predictably, and impermissibly forces court clerks to exceed their legal authority. This seems like a good reason to strike down the entire 512(h) mechanism or repeal it.

This opinion should also embolden IAPs to toss any 512(h) subpoenas in the trash because they are illegitimate. However, IAPs could have done that a long time ago based on the past precedent and haven’t. Further, IAPs are running scared of copyright owners because of the massive judgments that are being issued by courts who have decided IAPs don’t qualify for 512(a) for not terminating repeat infringers fast enough. Perhaps the Supreme Court will give IAPs more backbone with a favorable ruling in Cox v. Sony. But even if that happens, copyright owners are not going to give up their leverage over IAPs. They will continue to push Congress for new legal tools and look for other ways to undermine IAPs in court. If IAPs think they can placate copyright owners by acquiescing to their 512(h) subpoenas even if the law makes those invalid, they are sorely mistaken.

[Note: If 512(h) subpoenas are categorically illegitimate for 512(a) activities, then I wonder if any users who are unmasked by those illegitimate subpoenas will have tenable claims against the IAPs?]

On that front, there are proposed bills in Congress to impose site-blocking obligations on IAPs, similar to the duties already imposed in the EU. This is essentially what the copyright owners sought in this case, with their proposed technical solutions of destination null routing and port blocking. There are countless problems with IAP site-blocking, which is why SOPA went down in flames over a dozen years ago. But as the old maxim goes, bad policy ideas never die, they just get recycled. UGC is already dying on the Internet, and mandatory site-blocking in the US would speed up that process.

The opinion wasn’t affected by the IAP subscribers’ use of BitTorrent. It’s hard to believe BitTorrent is still a thing nowadays. However, it never went away, and it is regaining some importance due to the combination of (1) the growth of paywalls, plus their inevitable and ongoing enshittification, and (2) more importantly, the removal of material from the streaming databases so that there is no legitimate source to consume the content at all. (See Prof. Mark Lemley’s discussion of that topic). The continued vitality of BitTorrent highlights why copyright owners are desperate to deputize IAPs as their copyright cops and won’t stop until they find a way.

Copyright owners don’t need to rely on 512(h) to unmask Internet uploaders. They can always bring a Doe lawsuit and request an unmasking subpoena from a judge. Obviously copyright owners would much prefer not to do this. A Doe lawsuit is more expensive and takes more time. Also, judges reviewing the subpoena requests won’t grant them automatically, and copyright owners would rather not have judges impeding their desired enforcement efforts.

Case Citation: In re Subpoena of Internet Subscribers of Cox Communications, LLC, 2025 WL 2371947 (9th Cir. Aug. 15, 2025)

Some Other Blog Posts on 512(h)

• Court Quashes 512(h) Subpoena on First Amendment Grounds–In re 512(h) Subpoena to Twitter
• Court Quashes 512(h) Subpoena Submitted to YouTube–Watch Tower v. Kevin McFree
• Twitter Can’t Quash a 512(h) Subpoena
• Court Orders Unmasking Subpoena of Alleged Infringers–Baugher v. GoDaddy
• 2H 2019 and Q1 2020 Quick Links, Part 1 (Copyright, E-Commerce, Advertising)
• 512(h) Doesn’t Preempt Doe Unmasking Lawsuits–Strike 3 v. Doe
• eBay Must Disclose User Identities In Response To 512(h) Subpoenas
• Q2 2015 Quick Links, Part 1 (IP, Marketing and More)
• An Unmasking Effort Gets Gutted Some More – Art of Living Foundation v. Does
• Copyright Doe Defendant Can’t Quash Disclosure Subpoena Anonymously—Hard Drive Productions v. Does (Guest Blog Post)
• Spiritual Group’s Attempt to Unmask Online Critics Goes South–Art of Living Foundation v. Does
• Did a Court Eliminate 512(h) Subpoenas?–Maximized Living v. Google
• Co-Blogger Identity Isn’t Disclosed via 512(h), but Takedown Letters Are Copyrightable