Marco.org

I’m : a programmer, writer, podcaster, geek, and coffee enthusiast.

The DMCA takedown problem

A lot of people were talking about the “secret copyright treaty” last week, but most of the cited scary parts are already U.S. law that we’re trying to get everyone else to enforce the same way.

This is the truly scary part of today’s system:

…”notice-and-takedown” rules that require ISPs to remove any material that is accused — again, without evidence or trial — of infringing copyright. This has proved a disaster in the US and other countries, where it provides an easy means of censoring material, just by accusing it of infringing copyright.

Here’s how this system is supposed to work (approximately — I am neither a laywer nor an expert on this):

  1. Someone posts copyright-infringing material on a site.
  2. The copyright owner sends a DMCA takedown notice to the site’s owner, its hosting company, or Google.
  3. The recipient must either remove the cited material within a very short time (usually 24-48 hours) or file a counter-notice asserting that they believe the takedown notice is invalid.

In practice, it doesn’t always work smoothly. The person receiving the notices, usually someone at the hosting company, isn’t a copyright lawyer, as lawyers are expensive. Every incentive encourages a fast, blind takedown. Questioning weak or ambiguous claims costs a fortune and invites liability.

Here’s what happens, in practice, if a copyright owner sends an invalid or questionable takedown notice to a host or Google:

The takedown system is unreliable, and putting any faith in it raises some questions:

Most takedown notices are probably valid and sent by lawyers, right?

No. Anyone can send them, and most people aren’t copyright experts.

Well, the infringement decision is usually straightforward and obvious, right?

No. There’s a lot of gray area, and many claims are impossible to verify. Hosts always err on the side of caution, assuming that every takedown notice is valid and the only possible outcome is the prompt removal of the content. Google apparently doesn’t bother even looking.

The copyright holder’s identity is verified somehow, right?

No. Anyone can send a takedown notice with a single email or by filling out a single web form from anywhere, potentially via anonymizing proxies, claiming to be anyone else. I’ve never seen any hosts or site owners who took even the most rudimentary measures to verify the claimed identity of notice authors. Google probably runs a sophisticated identity verification algorithm: if (1).

This isn’t a good combination.

Anyone can force any content on nearly any site hosted in the U.S. to be taken down or removed from Google’s index, at least for a while, with no ramifications, liability, or traceability by filling out a simple web form or sending an email.

An attacker could republish this post on another blog, give it yesterday’s date, and send an email to The Planet claiming that this is infringing their copyright. Within a couple of days, this post would be gone, and I’d have no recourse.

Much of this system is necessary, and there’s a lot of of gray area. I don’t know how to fix it, but it needs to be fixed.