Tell Congress to Protect Our Personal InformationLearn More About Unauthorized Access to Data
Yesterday, IMSLP, a website dedicated to archiving public domain sheet music lost its domain name due to a complaint sent by the UK’s Music Publishers Association to the site’s registrar, GoDaddy. The notice incorrectly claimed that IMSLP’s copy of Rachmaninoff’s The Bells infringed copyright. (Coverage by TorrentFreak, Michael Geist, and BoingBoing.)
GoDaddy then took down all of imslp.org, meaning none of the 37,000+ works available in IMSLP's music library could be accessed at that domain. Even as IMSLP staff scrambled to contest the takedown, users were being directed to domains that were still hosting the IMSLP site and its music library. Other users were posting IMSLP's IP address as well, giving the access to the whole library, including the allegedly infringing piece.
In the meantime, emails were being exchanged between people at IMSLP and the MPA, with varying degrees of contentiousness. In one exchange, an IMSLP editor points out that, in some of the back-and-forth, emails sent to his colleagues at an @imslp.org email address wouldn't be received—because the domain had been shut down at the sender's request.
This case illustrates some of the problems inherent in targeting domain names as a way to combat infringement—doing so simultaneously does too much and too little. Too much, because even if that one Rachmaninoff score had been infringing, the GoDaddy takedown of imslp.org would have removed access to any of the pieces reached via imslp.org. Too little, because all of those pieces, including the Rachmaninoff, were soon reached through alternate means. After all, the domain is just a pointer to the many pages on the site, not the hosted content itself.
The pro-domain seizure argument in the face of these difficulties is that locking out a domain will reduce traffic from casual visitors to an infringing site, making that site less prominent. While sophisticated users can get around the domain seizure, many will simply go elsewhere. The thing is, though, it doesn't take a great deal of sophistication to click on an alternative link to a site (posted in someone's twitter feed or message board). Plugins or apps to bypass the seized domain (example noted here) require even less per-session attention from the user. And this lack of effectiveness has to be judged against the counterbalancing harm that is caused when misdirected or overbroad domain takedowns pull legitimate content off the web. Sadly, if a site isn't as in demand, it's less likely to have as many users spreading the word about its IP address or alternate domains—meaning that infringing sites might come back form a seizure faster than innocent ones.
But domains point to more than just the addresses of websites; they're used to locate email servers as well. Emails sent to a seized domain aren't going to reach their intended recipient, cutting a means of communication vital to many things—including getting any issues regarding the allegations and the infringement resolved.
If the complaint had been targeted at one particular piece of music on a site otherwise hosting legal content, wouldn't the better idea have been to contact IMSLP directly? The questions about whether or not the work was in the public domain could then have been resolved directly between the parties, rather than dragging the registrar and a domain shutdown into it.
And here, the role and abilities of the registrar come to the fore. The registrar only has the power to flip the switch on a domain name, not individual subdomains or pages hosted on that domain. It's entirely up to the registrar how carefully it makes the decision to pull the plug. And in this case, it seems that GoDaddy wasn't particularly careful at all. Its incentives to question the notice, after all, are pretty minimal, while the risks of deliberating too long on the validity of the notice might jeopardize its safe harbor under the DMCA.
This brings up another criticism that has been raised in the context of COICA and its expected successor bills. COICA provided immunity from any legal liability for ISPs, registrars, and others who cut off business relationships with people they suspected of infringing copyrights or trademarks. Given the pressure and increased scrutiny upon registrars to "do something" about infringing sites, and without any countervailing legal obligation to uphold contracts with an accused site, why wouldn't a risk-averse registrar just pull the plug and let the name go dark?
MPA's trigger-happy notice demonstrates the problems that can arise when you put the power to take down something as broad as a domain in the hands of anyone with an email account and a willingness to send a notice. There have been questions about a new COICA-like bill that might include a private right of action—giving copyright holders the right to demand that ISPs and registrars lock down or blacklist domains they think are "dedicated to infringing activities." When critics of the bill note the extremes to which it can be taken and the negative consequences at the edges of its interpretation, we're assured that the Department of Justice won't overreach (when has it ever?). Yet private actors aren't seeking to limit the scope of their actions to only the clearest cases; they'll use the law as expansively as they can, so long as it helps them achieve their goals. That's not a criticism of private suits in general, but merely a reason to ensure that laws granting private rights of action are drafted carefully so as to prevent overlawyering by creative plaintiffs beyond the intent of the statute.
The good news is that IMSLP, after some back-and-forth, is back up and running at its original domain. The news is less good for a less popular site with less legal or technical sophistication that might suffer the same fate. If domain takedowns and seizures become the go-to mechanism by which rightsholders try to enforce their copyrights, we'll likely see more problems like this one arise.