Federal Appeals Court Finds that DMCA Subpoena Power Does Not Apply to Peer-to-Peer
On Dec. 19, 2003, the U.S. Court of Appeals for the D.C. Circuit ruled that the music industry, and other copyright holders, may not use clerk-issued subpoenas to force Internet service providers (“ISPs”) to identify subscribers they believe to be swapping infringing copyright material using peer-to-peer (“P2P”) file sharing software. The Court held that such subpoenas may be issued under the Digital Millennium Copyright Act (“DMCA”) only to ISPs who are storing such materials on their own servers, and not when they act as mere conduits, providing only transmission and routing services among customer-owned PCs.
In Recording Industry Association of America, Inc. v. Verizon Internet Services, Inc., No. 03-7015 (D.C. Cir., Dec. 19, 2003), the D.C. Circuit reversed two earlier district court decisions that had significantly expanded the ability of copyright holders to use the DMCA subpoena power to force ISPs to disclose the identity of subscribers believed to be using P2P software (see Update dated Jan. 22, 2003). Through the RIAA, the recording industry has served and aggressively pursued enforcement of hundreds of subpoenas directed at ISPs to force disclosure of the identity of the ISPs’ end-user subscribers. The latest decision on this closely watched issue represents a major victory for privacy advocates and for ISPs that have sought to protect the identity of subscribers against the casual but significantly increasing use of clerk-issued subpoenas.
The DMCA expanded the rights of copyright owners, but also established “safe harbors” to protect ISPs from liability for the activities of their customers. One familiar safe harbor is colloquially known as “notice and takedown.” It provides that an ISP that makes available web hosting services is not liable for infringing copies posted to a hosted server if it responds to proper DMCA notices by removing an allegedly infringing copy of a copyrighted work from a subscriber’s site on the ISP’s server, after offering the subscriber an opportunity to dispute the allegation. Another safe harbor provides that ISPs that merely provide transport are protected from liability if they maintain policies to terminate the ISP accounts of repeat infringers. At issue in this case was the scope of a provision under the DMCA that permits copyright owners to obtain, from a court clerk, a subpoena requiring an ISP to “expeditiously disclose” the name of a subscriber (publicly known only by an IP address) suspected of copyright infringement.
The interplay between each of these provisions, and how they apply to hosted web sites, is detailed in the DMCA. Problems arose, however, when the RIAA attempted to use the DMCA subpoenas to identify alleged P2P copyright infringers by forcing the alleged infringer’s ISP to identify its subscriber. Where a subscriber utilizes P2P software, the allegedly infringing material resides only on that subscriber’s PC, and nowhere on the ISP’s network or facilities. For that reason, it is problematic for an ISP to verify claims of infringement. Furthermore, other legal issues may be raised if the ISP discloses the identity of a customer based only on the (unverified) claim that some infringing material resides on the customer’s PC. Unlike with hosting and caching, for example, there is no “proof” that anything shared by subscribers actually infringed copyright.
This case arose after the RIAA served a DMCA subpoena on Verizon’s ISP affiliate, seeking the identity of a subscriber who had allegedly downloaded more than 600 music files from KaZaA, a popular P2P file sharing service. Verizon declined to disclose the subscriber’s identity, and litigation ensued. The district court ruled in favor of the RIAA, finding that the definition of “service provider” subject to a subpoena is “unequivocally” broad enough to encompass ISPs who serve customers who in turn use P2P software and services. As a policy matter, the lower court saw no reason that Congress would distinguish disclosures of identities in one context (hosted web sites) from another (P2P files stored on an ISP subscriber’s PC).
The D.C. Circuit’s Ruling: ISPs Acting as Mere Conduits Are Not Subject to DMCA Subpoenas
The D.C. Circuit’s decision focuses almost exclusively on the proper interpretation of Section 512 of the DMCA. Although the lower court considered certain constitutional issues raised by Verizon, the appellate court did not reach them, because it determined at the outset that the subpoena provision in Section 512(h) does not apply to “mere conduit” ISPs on its face.
Key to the court’s decision is the very nature of P2P services, which rely on a decentralized network and index of files that are maintained on end-user PCs, rather than on a central server owned by the ISP. In order to secure a subpoena under Section 512(h), the party seeking the subpoena must satisfy certain notice requirements under Section 512(c). Pointing out that proper notice requires a description of the materials the copyright owner is asking the ISP to disable access to or remove, the Court held that the notice requirements—and thus the subpoena power as a whole—cannot apply to “mere conduit” ISPs because they lack the ability to remove or disable access to specific items. Although the Court noted that it was sympathetic to the RIAA’s concerns regarding copyright infringement, the Court declined to expand the DMCA, citing familiar precedent that it is the role of Congress, rather than the courts, to rewrite copyright law in order to make it fit new and unforeseen technologies, such as P2P software.
This decision marks a significant setback for certain copyright owners (the music and movie industries most prominently) who have used the DMCA to support legal actions against individuals using P2P software.1 Further, the decision offers ISPs persuasive authority to support their efforts to maintain the appropriate balance between respecting subscriber privacy interests and complying with the increasingly expanding reach of federal copyright law. The decision should also support the return of previously disclosed information in proceedings in which RIAA obtained personal information pursuant to invalid subpoenas. The RIAA and its members can still, however, pursue more traditional “John Doe” suits against infringers whose identity is unknown and utilize traditional third-party discovery techniques to seek names and addresses from ISPs.
If you have further questions about this decision, or other DMCA related issues, please contact us.
1 There are other pending cases involving hundreds of subpoenas served on Verizon, SBC and Charter as well MIT, Boston College, and UNC that also act as ISPs. See generally http://www.eff.org/IP/P2P/riaa-v-thepeople.php. These are in addition to the hundreds of suits that have been filed against individual users of P2P software.