A decade ago, when what would later be known as “cloud” services began to darken the skies of music copyright-holders, and mobile devices were in their adolescence, entrepreneur Michael Robertson launched a business that provided users with access to “their” music anywhere they could get online. The venture was soon crushed in copyright litigation brought by leading record labels. UMG Recordings, Inc. v. MP3.com, Inc., 92 F. Supp. 2d 349 (S.D.N.Y. 2000).

About five years later, Robertson founded MP3tunes.com, offering a range of services that, similarly, allow end users to access music from anywhere – and to locate and store any “free” music to be found on the Internet. This time around, the same district court has upheld the basic business model of the venture against copyright challenges. The decision in Capitol Records, Inc. v. MP3tunes LLC, 07 Civ. 9931, 2011 U.S. Dist. LEXIS 93351 (S.D.N.Y. Aug. 22, 2011), appears to provide important guidance and support for other entities seeking to provide cloud services.

MP3.com and MP3tunes used different methods for putting music online. MP3.com ripped songs from tens of thousands of CDs it had purchased, loaded them onto its servers, and then streamed the songs to users who had previously purported to prove they already owned the same CDs by putting a corresponding CD into a computer connected with www.mp3.com. Using different means, MP3tunes lets its users select and store music in the cloud, then play it back or download it wherever they are.

The record labels said it made no difference that MP3tunes used different means for collecting the music its users access. However, in Capitol Records, Inc. v. MP3tunes, LLC, the district court, granting in part and denying in part the plaintiffs’ and the defendants’ cross motions for summary judgment, wound up agreeing with MP3tunes on most of the Digital Millennium Copyright Act (DMCA) safe harbor issues, and particularly on those points critical to the MP3tunes business model. Among the key conclusions that lend further support to the cloud storage model, the court held that the service provider was not liable for copying — at the direction of its users — infringing music files found on third-party sites to its own servers and streaming infringing music to its users, provided it observed the requirements of the safe harbor.

How MP3tunes Works

Music gets stored in an end user’s online storage “locker” in one of three ways. First, a user can upload music files from their computer. Second, if the user knows the address of a music file that is available anywhere on the Internet, they can use an MP3tunes feature, known as Webload, to copy the file to their locker. Third, if the user neither possesses a copy of a song on their computer nor knows where it can be found on the Internet, they can search for the song at Sideload.com, another website owned by MP3tunes. With a click, they can send a copy of a song located by the Sideload search engine from the third party site into their locker. Users can also employ a Sideload plug-in to copy into their lockers any free music file they come across on the Internet without being on the Sideload.com website. MP3tunes keeps track of the specific, sometimes-different sources of each user’s copies of stored songs.

Songs from the user’s locker can either be played (streamed) or downloaded to the user’s Internet-connected computer or mobile device. When different users put an identical music file from the same source into their lockers, it appears that MP3tunes does not permanently store multiple full copies of the same song.  

Although the operation of the MP3tunes technology is not entirely clear from the court’s discussion, it apparently uses an automated system to create a “hash” tag (a unique, automatically-generated code used to identify a file comprised of specific bits of data). If the hash matches a file already stored by another user, after an automated de-duplication process, the new copy of the earlier-uploaded song is deleted, and the later user’s locker is populated with the hash rather than another copy of the same file. When that user requests to play the song, the system generates the version of the song from the hash tag – using the file stored by the first user. Assuming this understanding is correct, the term “locker” would be a metaphor, since MP3tunes does not actually allocate to each user a unique area of server space on which is stored each user’s own distinct copy of “their” content, as the defendant did in Cartoon Networks LP, LLLP v. CSC Holdings, Inc. 536 F.3d 121 (2nd Cir 2008). (For the sake of simplicity, we will nonetheless refer below to “copies” in end-users’ lockers.)  

Repeat Infringer Policy Upheld

Leading record companies sued MP3tunes for copyright infringement, and all parties moved for summary judgment. The record labels asserted inter alia that MP3tunes was not protected by the safe harbors of the DMCA and was directly and secondarily liable for copyright infringement. The court addressed several key issues under the DMCA, beginning with the repeat infringer policy.  

Safe harbor eligibility requires that the website adopt and reasonably implement a policy of terminating the accounts of repeat infringers in appropriate circumstances. 17 U.S.C. § 512(i)(1)(A). In the court’s view, the key issues were whether the online service terminates “blatant” infringers, and whether the service purposefully fails to keep adequate records of the identities and activities of its users.

In a novel approach, the court distinguished between the “typical” “blatant infringer” — who knowingly uploads copyrighted matter for the world to copy or use — and lesser infringers who merely copy for their own use:

There is a difference between users who know they lack authorization and nevertheless upload content to the Internet for the world to experience or copy, and users who download content for their personal use and are otherwise oblivious to the copyrights of others. The former are blatant infringers that Internet service providers are obligated to ban from their websites. The latter, like MP3tunes users who sideload content to their lockers for personal use, do not know for certain whether the material they are downloading [from third party sites] violates the copyrights of others.  

Consistent with this distinction, the court approvingly noted that MP3tunes had “terminated the accounts of 153 repeat infringers who violated copyrights by sharing the content of their lockers with other users.” The court was silent as to whether there were circumstances requiring that those storing infringing songs for personal use be terminated as repeat infringers. MP3tunes also did not purposefully blind itself to its users’ identities and activities. Rather, the company tracked the source of all sideloaded songs and could identify and terminate repeat infringers. Its implementation of its repeat infringer policy was therefore sufficient for safe harbor eligibility.

Inadequate Compliance with Takedown Notices

Under the DMCA, a request that infringing matter on a web service’s website be taken down must identify the infringed work and specify the URL where it can be found on the service’s website, so as to enable the service to easily locate the file. The record companies argued that it was sufficient for them to specify the web addresses for the infringing links on Sideload.com, since MP3tunes could then readily identify all the lockers “containing” copies of the infringing work obtained via that link. In a decision of first impression, the court agreed that MP3tunes had to not only disable the infringing links specifically identified as available at Sideload.com, but also delete the copies of the music files made from those links, contained in users’ lockers:

Where service providers… allow users to search for copyrighted works posted to the Internet and to store those works in private accounts,… those service providers must (1) keep track of the source and web address of stored copyrighted material, and (2) take content down when copyright owners identify the infringing sources in otherwise compliant notices.  

Since, in response to the takedown notices, MP3tunes merely removed the links from Sideload.com, but failed to delete the infringing copies already stored in user lockers, this meant that MP3tunes’ response was inadequate for safe harbor protection.  

Consistent with prior decisions, the court held this did not mean that MP3tunes was obliged to search for and take down all of the record companies’ content on the companies’ theory that their notices were a representative list. “Absent adequate notice, MP3tunes would need to conduct a burdensome investigation in order to determine whether songs in its users’ accounts were unauthorized copies.… [T]he DMCA does not place this burden on service providers.”  

Actual or “Red Flag” Knowledge

Service providers are also ineligible for the safe harbor if they have actual knowledge of infringing matter on their websites, or are aware of facts and circumstances that make infringement apparent (the “red flag” test), § 512(c)(1)(A) and (d)(1). The court stated that the red flag test is met, precluding safe harbor eligibility, if the web service links to sites “whose illegal purpose is obvious to a reasonable person.” Neither MP3tunes nor its executives could be said to have actual or red flag knowledge, since the linked websites that were the source of songs at Sideload.com did not use terms (such as “pirate” or “bootleg”) that indicated their illegal purposes and since the illegality was not obvious without investigation. “[T]he DMCA does not place the burden of investigation on the Internet service provider.” The court clarified with:  

Put another way, if investigation is required to determine whether material is infringing, then those facts and circumstances are not “red flags”.… As other courts have held, that rule makes sense where infringing works might be a small fraction of works posted to a website.  

Plaintiffs’ complaint alleged that “the vast majority of the music available through the MP3tunes service is infringing,” but apparently they were unable to offer proof sufficiently convincing to the court.

Finally, the court held that emails or notices by third parties that do not substantially comply with the DMCA’s takedown notice requirements also cannot establish actual or red flag knowledge.

Direct Financial Benefit Bar Not Satisfied

Web services are not eligible for the safe harbor if they have the right and ability to control, and derive direct financial benefit from, infringing activity. The labels contended that MP3tunes benefited financially because infringing activity acts as a draw and increases user traffic to MP3tunes. The court rejected the argument: “While Sideload.com may be used to draw users to MP3tunes.com and drive sales of pay lockers, it has non-infringing uses. Moreover, MP3tunes did not promote infringement.” Further, “any link between infringing activity and a direct benefit to MP3tunes is attenuated because sideloaded songs were stored free of charge and infringing and non-infringing users of Sideload.com paid precisely the same or nothing at all, for locker services.”  

Plaintiffs also failed on the right-and-ability-to-control prong for the safe harbor, which “requires something more than the ability to remove or block access to materials posted on a service provider’s website.” “[T]he pertinent inquiry is not whether [the service provider] has the right and ability to control its system, but rather, whether it has the right and ability to control the infringing activity.” MP3tunes does not select the linked websites containing illegal material; “[a]t worst, MP3tunes set up a fully automated system where users can choose to download infringing content.” This lack of control over user conduct is insufficient to bar MP3tunes from being eligible for the safe harbor.  

To sum up: MP3tunes’ failure to remove from users’ lockers previously stored infringing copies, for which the record companies had sent takedown notices, made it ineligible for the safe harbor. But the court essentially validated MP3tunes’ business model, since in the future it will theoretically be possible for the service to expeditiously remove infringing music files from its servers upon notice. If this decision is followed by other courts, the issue, as a practical matter, may be whether music copyright-holders can serve takedown notices at such a pace, for a large enough proportion of the music stored in users’ lockers, that the takedowns will seriously impair the usefulness of the cloud storage service for end users.

Secondary Liability: Contributory Infringement

Having held that the DMCA safe harbor did not preclude all liability, the court next considered, on summary judgment, MP3tunes’ secondary liability for the copies of songs in users’ lockers for which it had been denied the safe harbor. The court began by sweeping aside MP3tunes’ asserted defenses that plaintiffs’ proof of ownership of the copyrights in the songs was defective and that free promotional downloads amounted to abandonment or an implied license for MP3tunes’ users to store and use the music at issue. Since this meant that MP3tunes’ users were direct infringers, the court turned to MP3tunes’ liability for contributory infringement. Contributory infringement liability required proof that MP3tunes knew of the infringing activity, and nonetheless materially contributed to it.  

“MP3tunes’ knowledge of the unauthorized use of infringing sideloaded material is manifest,” the court held, based on plaintiffs’ take-down notices that put MP3tunes on notice that the specified music files were infringing copies and based on the fact that MP3tunes had removed the infringing links from Sideload.com. The material contribution element is satisfied when the defendant’s contribution is substantial, and “substantial contribution is found where an Internet service provider’s servers ‘are the sole instrumentality of their subscribers’ infringement.’” That was the case here. MP3tunes asserted finally that it was protected from secondary liability because its service had substantial non-infringing uses. The court rejected this contention on the ground that, in all of the past cases in which this was held a valid defense, the defendants did not have an on-going relationship with the direct infringers, as did MP3tunes.

No Direct Infringement by MP3tunes

The court denied the record companies’ summary judgment claim that MP3tunes had directly infringed their copyrights. First, there was a triable issue as to whether the direct infringements of its executives and employees were performed in the course of their employment, and could therefore be attributed to MP3tunes. (However, since Robertson was an individually named defendant, the court found him directly liable for the songs he personally sideloaded from infringing sites.) Second, in a confusing (and perhaps confused) part of its analysis, the court denied summary judgment on the record companies’ claim that MP3tunes violated the performance right by streaming music from a “master copy” of each copyrighted music file. The court rejected their position on the factual ground that MP3tunes did not use a “master copy” and on the legal ground that, in any event, the safe harbor applied to the performances at issue.

Conclusion and Comment: Cloud Model Vindicated

Notwithstanding the liability “setback” for MP3tunes itself and for Robertson, the district court decision represents an important (if possibly intermediate) victory for those promoting cloud storage by individual end users. The record companies did not, judging from the complaint and the summary judgment decision, challenge end users’ right to upload music from their own computers to their lockers, and the infringement claims largely turned on MP3tunes’ easy-to-use systems for locating, storing and playing music files from third-party sites, which plaintiffs alleged were “overwhelmingly” a source of infringing copies. But the district court absolved the service provider of liability for copying to its servers and streaming the infringing music files found on such sites, provided it observes the requirements of the safe harbor.

The district court joined other courts in requiring particularized notices of infringement, and in rejecting copyright holder contentions that it is enough that infringing matter is notoriously present. The court drew an interesting distinction, in the context of “repeat infringement,” between users who upload to make music available to others (deemed “blatant infringers”) and those who do not. It is not clear from the opinion how those who repeatedly “sideload” music from infringing sites, but solely for their own use, should be treated.  

We will not be surprised to see appeals to the Second Circuit by both sides, in the fullness of time, though it is not clear whether plaintiffs will first take the case to trial on the remaining issues, including direct liability and damages due. For now, the cloud computing model finds further legal support.