The internet era ushered in a new way for people around the world to access creative works with the click of a mouse or the tap of a finger. We all know that consumer demand outpaced the business models of entertainment companies, and music, movies, and other copyrighted works were, and still are, often accessed and shared unlawfully—without the permission of the rightsholders. While affordable music and video streaming services, the reduction of arbitrary “windowing” policies, and other practices have reduced the demand for infringing copies of works, many people continue to infringe copyright online, and more work needs to be done—in terms of making works more available and affordable, balanced enforcement, and even legal changes—to address this situation.

What we shouldn’t do, however, is expect ISPs to spy on their users, monitor their internet usage, and cut them off if they suspect they might be breaking the law, or if someone forwards them allegations making those claims. Unfortunately a campaign of lawsuits against ISPs by record labels seeks to force ISPs to do just that. Cox, RCN, Grande Communications, and Charter have been sued, under the theory that, because they haven’t been active enough in cutting off their customers, they both lose their legal “safe harbor” and are liable for copyright infringements committed by their users.

Private, unaccountable parties should not be in the position of deciding who gets to access the internet and who doesn’t. It is true that a relatively small number of people use their internet connections to infringe copyright. There are also people out there who use the internet to plan bank robberies. Social networks and other services that people access on the internet should have policies in place to curb such activity, if possible. But ISPs are not the right place to do this—they provide a basic service necessary for all kinds of personal, economic, and civic activity. People use the internet to pay their bills, keep in touch with family and friends, and read the news. What’s more, home internet access is typically provided by a company that possesses little or no competition, and that may even have an infrastructure-based natural monopoly, so it’s not like people have anywhere else they can go. Losing access to the internet is like getting your power cut off, or someone in the far suburbs losing her driver’s license—not something to be taken lightly, and something that should require due process of law.

The governing legal framework, however, in some respects treats ISPs the same as any other service provider. When the Digital Millennium Copyright Act (DMCA) was passed, internet access wasn’t nearly as important as it is today—and most ISPs were “edge services” accessed over telephone lines regulated under Title II of the Communications Act, as opposed to being fully integrated with access lines as they are today. One of the provisions of the DMCA provides that unless ISPs terminate (cut off internet access for) “repeat infringers,” they lose their “safe harbor”—which means they might become liable for their users’ activity (not that they automatically are liable—an important distinction). There’s a lot to be said about what a “repeat infringer” policy should look like, but in this post, I want to put forward a simpler claim—that even without the DMCA’s safe harbor provisions, ISPs, absent truly extraordinary circumstances, simply should not be liable when their users infringe copyright. 

The recent litigation has indeed shown that some ISPs did not have particularly robust repeat infringer policies, or that they did not always even follow the policies that they had. But none of that really matters. The existence of a safe harbor does not mean that there automatically is liability for any activity that falls outside the safe harbor. A safe harbor does not expand or contract liability, and when Congress created the safe harbor, it applied it to all kinds of services, not just ISPs—it did not single out ISPs as uniquely subject to copyright claims and thus in need of a safe harbor. (And, as mentioned above, ISPs at the time were not the utility-like services they are today, and no one thought in 1996 that the telephone companies that were then essential for internet access should be responsible for user activity.) Given the way that internet access is provided today, it may be simpler to just set the safe harbor issue to one side and consider whether ISPs can ever be liable for their users’ copyright infringements, either on a direct or secondary basis. A proper understanding of their actual role, and of what they should and should not do, should lead to the conclusion that they should not.

Legal Background

There are two types of liability for copyright infringement: (1) Direct infringement, and (2) Secondary infringement. Copyright works a little differently than the law in some areas, where multiple parties can be found to be “directly” liable for a given act. In copyright, only the party that committed the “volitional act” can be directly liable—in the situation we’re discussing here, that would be the ISP subscriber. Other parties that are somehow involved—and obviously the ISP is involved—can only be found liable on a secondary basis. Secondary liability is copyright liability in the same sense as direct liability, but it’s harder to establish. There are a few different kinds of secondary liability: Contributory liability (where you have to show that the party knew of the infringement, and materially contributed to it), and vicarious liability (where you have to show that the party had the right and ability to control the infringement, and received a financial or commercial benefit from it). Of course it gets more complicated than this, but those are the basics.

It’s important to realize, however, that merely providing the means by which someone else infringes copyright, and generally knowing that copyright infringement is happening, is not enough for there to be liability. This is the holding of the famous Betamax case, where the Supreme Court found that selling VCRs was not illegal because they are capable of “substantial non-infringing uses.”

Applying these legal tests to ISPs should show that ISPs, once their status as essential, basic utilities is recognized, don’t meet the standard for liability even without the safe harbor. 

They should not be contributorily liable because, unless they are spying on user activity (which should in general not be allowed), they don’t and can’t know about specific acts of infringement, and because providing internet access should not be considered “material” to copyright infringement online any more than providing electricity or computer operating systems is. A material cause should be substantial, and proximate. (And even if it is “material,” the fact that these services are clearly capable of substantial—indeed, primarily are used for—noninfringing uses should mean that providing them should not be used as a basis for liability.) And they should not be vicariously liable, because ISPs should not have the “right and ability” to control what users do online (regardless of what their terms of service currently say), and because they do not directly benefit from users’ infringing activity (only from selling internet access in the first place). For that matter, ISPs should not be considered to “induce” infringing activity merely by marketing and selling high-speed internet access, which, like internet access generally, is primarily used for lawful purposes.

One hard question is whether ISPs, upon receiving some notice that a user is infringing, thereby gain “knowledge” for the purpose of contributory liability. Even assuming that it did, the test for contributory infringement should still fail on the “materiality” test. That said, whether notices sent unilaterally by a rightsholder to an ISP or platform should be enough to require that it take action under a repeat infringer policy for the purpose of the availability of a safe harbor is one thing. But it would be bizarre to allow a form letter sent from some party to an ISP to be enough to establish “knowledge” on the part of the ISP unless the ISP itself independently verified its contents—to conclude otherwise creates an incentive for third parties to spam ISPs with “notices.” It’s worth noting, as well, that the “notices” we’re talking about are not the same thing as the DMCA “takedown notices” you may have heard about. ISPs do not “host” material and so they have nothing to take down, and providers of “transitory digital network communications” have no obligation under the law to receive notices of any kind, despite that fact that ISP terms of service often mention “DMCA notices.” 

I’ll freely acknowledge that reaching these conclusions requires an understanding of the social and legal role of ISPs that is not universally shared, or even agreed to by ISPs themselves. This is a major caveat. ISPs, in fact, might be setting themselves up for liability by tracking user activity (thus giving themselves “knowledge”) and by instituting policies that treat cutting people off from internet access as no different from “no shirt, no shoes, no service” policies. I think that ISPs should be regulated and act as common carriers. Most of them do not want this. Common carriers do not, as a general rule, have blanket immunity for everything that happens with their facilities, but with copyright issues at least, it should be enough to make the traditional tests for secondary infringement inapplicable.

With this background, a recent determination by a magistrate judge in Colorado that Charter might be vicariously liable for user infringements is troubling. Again, this case is distinct from the litigation over the applicability of the safe harbors, since, just to say it again, the loss of a safe harbor does not imply liability. The judge seems to have gotten the “financial benefit” test wrong and the case might not stand up to appeal. But whether Charter has the “right and ability to control” its users wasn’t seriously contested because Charter itself asserts that it does. But there could be dangerous implications from this ruling if it stands. While I want online platforms like Youtube and Facebook to do a lot more when it comes to moderating content and deterring unlawful activity, the last thing I want ISPs to do is take a more active hand in moderating content. Even when internet access is used for unlawful purposes, looking to ISPs—rather than law enforcement, platforms, and other parties—to curb such activity sets the dangerous precedent that restricting access to basic, essential services is a legitimate public policy choice, and that private infrastructure-based communications services should monitor and control their users. 

Applying tests for secondary copyright infringement to ISPs without considering the role that ISPs actually play today as essential infrastructure is a mistake. We never require that telephone, power, and water companies ensure that their products are used only for above-the-board purposes for a reason—not that we love it when people break the law, but because the economic and social cost of setting up the technical, legal, and business infrastructure to accomplish the task so obviously outweighs the benefit, especially when there are other, less invasive ways to prevent lawbreaking and other undesirable activities. This is the way we should think of ISPs, as well.