Cloudflare liable for copyright infringement by providing CDN services but not for DNS resolver services
DNS means ‘domain name system’. Every domain has a unique Internet Protocol (‘IP’) address, consisting of four numbers. Since it is not very practical to remember such numbers, domain names such as https://ipkitten.blogspot.com/ were introduced. The job of a DNS resolver service is to connect the domain name with the IP address. A more detailed description can be found here.
CDN means ‘content delivery network’. It is a network of servers that are distributed globally. It caches a website’s content on servers close to the end users, which increases the performance of the website. A more detailed description can be found here.
Background
The plaintiff owned the recording rights to the songs of German musician Sarah Connor. The website ddl-music.to provided a download link to one of her music albums without hosting the album itself. Cloudflare provided DNS resolver and CDN services to the operator of ddl-music.to.
The plaintiff sued Cloudflare for copyright infringement. The District Court held Cloudflare liable on account of its DNS resolver and CDN services. Cloudflare appealed.
The Higher Regional Court’s decisions
The Higher Regional Court of Cologne partially upheld the appeal (case 6 U 149/22).
It found that Cloudflare was liable for copyright infringement due to
providing the CDN services but not for the DNS resolver services.
Copyright infringement on ddl-music.to
It
was obvious to the judges that the download links provided on
ddl-music.to infringed the plaintiff’s right under the German equivalent
of Art. 3(2)(b) InfoSoc Directive. According to GS Media (case C-160/15, IPKat here and here)
merely providing links to copyright infringing content constitutes
‘communication to the public’ if this is done for financial gain in
knowledge of the illegal nature of the publication of the protected
work.
ddl-music.to was considered to be an obviously infringing
website. It contained, according to its own statements, over one million
download links to the latest charts, albums and audiobooks.
Additionally, the website’s host provider BlueAngelHost stated on its
website:
Our servers are located in Offshore location (Bulgaria) which enable us to offer DMCA Ignored Hosting services, total privacy, data security, and wider range of accepted content.and
“Why You Need it?“:
Purchasing USA-based hosting for a site that is not legal to be run in America is not a sensible thing to do. Offshore hosting can be helpful for less scrupulous business who wish to bypass local laws or regulations, particularly for issues like copyright law, which is also known as no DMCA hosting.After confirming the unlawfulness of the link on ddl-music.to, the Court dealt with Cloudflare’s liability as a service provider. The judges held that the CJEU’s case law on the liability of host providers (YouTube and Cyando, cases C-682/18 and C-683/18, IPKat here) applied to other providers that play an ‘indispensable role’ within the meaning of the CJEU’s case law.
No liability for DNS resolver services
As regards the DNS resolver services, the Court found that they did not play an ‘indispensable role’ for the making available of Sarah Conner’s music album.
Cloudflare’s DNS resolver was neither necessary to find the IP address of ddl-music.to nor did it make the access easier. Cloudflare’s DNS resolver is one of several freely available DNS resolvers. The Court also considered that such services are merely passive, automatic and neutral for the connection of domain names and IP addresses. Therefore, the Court found that a DNS service provider is comparable to an access provider. The latter’s liability required not only a clear notice of an obvious infringement but also that the plaintiff used best efforts to take action against the operator of the website or other service providers which are closer to the infringement (e.g. the host provider). Since the plaintiff did not show that it was impossible or unpromising to take action against the website operator or host provider, the conditions for liability were not met.
For the same reasons, the Court denied a website blocking order on the basis of the German transposition of Art. 8(3) of Directive 2001/29/EC.
Further, Cloudflare could rely on the domestic provision corresponding to Art. 12 E-Commerce Directive, exempting service providers for the transmission of information from liability. As of 17 February 2024, the DSA will partially amend the E-Commerce Directive. The rules on liability exemptions and monitoring obligations in Artt. 12 to 15 E-Commerce Directive will be replaced by Artt. 4, 5, 6 and 8 DSA (Art. 89 DSA). Therefore, the Higher Regional Court considered Recitals 28 and 29 DSA, which explicitly mention DNS resolvers and their exemption from liability (in particular under Art. 4 DSA, which is essentially identical to Art. 12 E-Commerce Directive). On that basis, the judges found that DNS service providers are covered by Art. 12 E-Commerce Directive.
Liability for CDN services
The Court held that Cloudflare’s CDN services played an ‘indispensable role’ for making the copyright infringing content on ddl-music.to available to the public. The website could only be accessed by using the CDN.
An ‘indispensable role’ is a necessary but not a sufficient condition for liability. Further criteria also spoke in favour of Cloudflare’s significant contribution to the infringement:
- There is an inherent possibility to abuse Cloudflare’s services for illegal activities.
- Cloudflare temporarily saved parts of the website not only for the time that is necessary to transmit the data.
- Cloudflare also protected the website by controlling access to it.
- The IP address of the website was not visible. A Whois search only showed the IP address of Cloudflare.
- Cloudflare provided an abuse form but did not make the IP addresses of its customers available even after reporting a website with illegal content.
Cloudflare could not rely on the liability exemption of Art. 12 E-Commerce Directive because their CDN services were not limited to the mere transmission of communication. The Court also found that the exemption in Art. 13 E-Commerce Directive
regarding caching did not apply. According to Cloudflare’s terms and
conditions, it may store the customer’s website for more than a year,
which the judges did not consider temporary anymore. Further, the CDN
services’ purpose was not only to make the information’s onward
transmission more efficient but also to make it more secure. This
purpose is not covered by Art. 13 E-Commerce Directive.
Finally, Cloudflare’s terms and conditions allowed it to alter certain
information of their customer’s website in order to enhance the security
of the website or the functionality of their could services.
Modification of the information prevents the exemption from applying (Art. 13(1)(a) E-Commerce Directive).
Comment
It
seems questionable to argue that the DNS resolver services did not make
the access to the website easier. The IP addresses of infringing
websites are usually concealed, which makes finding (and therefore
accessing) them quite difficult. And why should it matter that
Cloudflare is not the only provider of DNS resolver services? Should
someone be absolved from liability just because someone else could
support the illegal activities?
Picture is by Klinko and used under the licensing terms of pixabay.com.
Something seems to have gone wrong in Germany. First, the reasoning of the GS Media case is outdated and should be supplemented with case law from the Renckhoff and VG Bild-Kunst cases, among others. Second, the application of the provisions of the eCommerce Directive should also be considered problematic. The CDN is the primary tool that uses caching and allows the Internet to function. Without it, nothing would flourish as we would have to wait several minutes for popular sites to load. This is even emphasized in DSA paragraphs 28-29. Moreover, the caching exception talks about "temporary" storage of information, not short-term. Lege non distinguente, its application cannot be made dependent on whether the storage is for a long or short period of time, as long as this does not lead to circumvention of the function of the provision and would cover, for example, hosting. Even if the court were to decide that one year is too long (the usual period for static content), there is still the hosting exception mentioned above. Undoubtedly, in this case, it is not the CDN provider that is the infringer, but the eventual site administrator. Identifying that administrator will not be a problem for law enforcement/court based on a request to the domain registrar. So I don't understand where anyone got the idea that information from the Whois database is the holy grail to prove that a CDN provider is actively involved. To be honest, this is yet another decision where the German courts show that they don't understand how the Internet works.
ReplyDelete