Introduction
Background
Requirements for legitimate notices
Fake DMCA takedown notices
Advice for entities
Clients should be aware of a troubling trend: phishing emails disguised as legitimate Digital Millennium Copyright Act (DMCA) takedown notices. Recipients of legitimate DMCA takedown notices will either shield themselves from copyright infringement liability if they follow all of the required steps, or find themselves exposed to copyright infringement liability and potentially steep money damages if they ignore one. The new phishing emails disguised as legitimate DMCA takedown notices could force an unsuspecting recipient to choose between potentially ignoring a valid notice and facing potential liability, or clicking the embedded link and falling prey to a phishing scam.
An entity that owns a website, platform or server is generally strictly liable for copyright infringement for infringing material hosted on their website, platform or server, regardless of whether it knows that the material is there. DMCA takedown notices arose from section 512 of the federal Copyright Act as a mechanism to:
- provide a "safe harbour" from liability to those entities that follow all the necessary statutory steps when third parties upload or post unauthorised copyrighted material to their platform, website or server; and
- put a system in place for rights holders to have their unauthorised works removed efficiently.
Entities that host infringing material on their platform, website or server (even unwittingly) but fail to respond appropriately to a valid takedown notice lose their safe harbour from copyright infringement liability for the infringing material they are hosting and can face significant monetary damages.(1)
In short, it is dangerous to ignore a legitimate DMCA takedown notice, because it can cost an entity significant amounts of money in terms of damages for copyright infringement.
Requirements for legitimate notices
Under the Copyright Act, a legitimate notice must contain the below information:
- a physical or electronic signature of a person authorised to act on behalf of the owner of an exclusive right that is allegedly infringed;
- the identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site;
- the identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material;
- information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number and, if available, an electronic mail address at which the complaining party may be contacted;
- a statement that the complaining party has a good-faith belief that use of the material in the manner complained of is not authorised by the copyright owner, its agent or the law; and
- a statement that the information in the notification is accurate and, under penalty of perjury, that the complaining party is authorised to act on behalf of the owner of an exclusive right that is allegedly infringed.
Unfortunately, phishing emails/fake DMCA takedown notices contain largely the above requisite information and can look legitimate. The unsuspecting recipient clicks on the link within the "notice" and finds that it is instead a phishing scam. The primary problem is the third item above: "information reasonably sufficient to permit the service provider to locate the material". Typically, the author of a legitimate DMCA takedown notice includes the URL link to the website where the infringing material can be found, so that the recipient of the notice knows exactly what to remove. But the scammers instead often include a URL or a link to a file that they ask the recipient to download to see the infringing material. Clicking on this link would set off an undesired chain of events on the recipient's end.
What should an entity do if it receives a questionable DMCA takedown notice? Should it click on the link to make sure it does not ignore a legitimate notice, because ignoring one would expose it to copyright infringement liability? Or should it delete the email and hope it was just a phishing scam? This is a very difficult position to be placed in. First, the recipient should ideally have an IT department that can quarantine and safely open the (potentially phishing) link and examine it. The recipient should bear in mind that they must respond to a legitimate DMCA takedown notice expeditiously, so their IT department should make this a priority. Second, the recipient can contact legal counsel if they need assistance. Third, they can consider reporting any confirmed phishing emails as described here.
For further information on this topic please contact Linda J Zirkelbach at Venable LLP by telephone (+1 410 244 7400) or email ([email protected]). The Venable LLP website can be accessed at www.venable.com.
Endnotes
(1) More information on this topic and the requisite steps an entity should take to preserve its safe harbour can be found in the following articles:
- "DMCA 512 Report: Key Findings by the U.S. Copyright Office";
- "Tis the Season: Act in Time, or Your Nonprofit Will Say Goodbye to Any DMCA Safe Harbor Protection from Copyright Infringement Liability"; and
- "Key Legal Tip for Publishers: Make Certain Your DMCA Designated Agent Does Not Expire This Year".