The News: A federal judge has just ruled in favor of website security provider Cloudflare in U.S. District Court for the Northern District of California last Thursday, in a case where the service provider was being accused of contributory copyright infringement. Cloudflare, which provides content delivery network and DDoS mitigation services for websites, was originally sued in November 2018 by two wedding dress manufacturers that alleged it was contributing to copyright infringements by counterfeit retailers because it failed to terminate services for their websites. The ruling in the Cloudflare copyright infringement case further reaffirms the existing legal framework that defines technology services providers’ liability in cases of copyright infringements. Read the full ruling here.
Ruling in Cloudflare Copyright Infringement Case Clarifies Liability Framework for Web Service Providers, Upholds DMCA Provisions
Analyst Take: The ruling in the Cloudflare copyright infringement case clarifies the liability framework for web service providers, which I believe is a good thing. Before we go further, here’s some background on the case, along with why this case matters.
Mon Cheri Bridals and Maggie Sottero Designs are two of the largest designers, manufacturers and wholesalers of wedding dresses and social occasion wear in the United States. Both claim to “have developed many of the world’s most unique and original wedding and social occasion dress patterns,” and own the copyrights for those designs, including photographic images of those designs. But hundreds of unlicensed companies, many operating out of China, have been selling counterfeit versions of those designs for years, and it is exceedingly difficult to successfully put an end to the illegal practice. Both companies, which also listed hundreds of unnamed “Doe” defendants in an amended complaint, took the ingenious step of also going after one of their web service providers, Cloudflare, presumably as a means to (1) cut off an essential infrastructure lifeline to counterfeit websites, and (2) in the hopes of seeing any hypothetical injunction favoring their complaint actually enforced.
The lawsuit claimed that Cloudflare’s TOS requires the company to terminate service following any violation of the law, and furthermore, that Cloudflare was not adequately enforcing its own policy to investigate violations of their TOS, let alone terminating repeat infringers. The plaintiffs claim to have sent Cloudflare thousands of takedown notices that were ultimately ignored, with no action taken against counterfeit websites. Per the amended complaint: “Even after learning of specific, identified acts of copyright infringement by the infringing websites through plaintiffs’ takedown notices, Cloudflare continues to cache, mirror, and store a copy of the infringing websites and the infringing content on its data center servers, and to transmit upon request copies of the infringing content to visitors of the infringing websites.
The plaintiffs’ argument was thus that “Cloudflare’s contributions allow the Internet browsers of visitors to the infringing websites to access and load the infringing websites and content much faster than if the user was forced to access the infringing websites and content from the primary host absent Cloudflare’s services.” This is an important point, as it encapsulates the entire case for making ISPs and other web services providers liable when the websites they serve break the law. Any federal Court ruling on this issue could, should established case law be misunderstood or brushed aside, have profound ramifications for the digital infrastructure that makes online commerce possible.
How The Complexity of Our Digital Infrastructure Played into This Case Despite The Existence of The DMCA
Cloudflare’s argument was that the plaintiffs’ case was based on a fundamental misunderstanding not only of the contributory copyright infringement doctrine and the Digital Millennium Copyright Act, but also of its services, which I found particularly interesting. Cloudflare also correctly warned that should the plaintiffs prevail the industry would suffer a damaging “expansion of the contributory infringement doctrine far beyond its established limits.”
To Cloudflare’s point, even a cursory reading of the DMCA’s section 512 on safe harbors should have predicted the outcome of this lawsuit. Moreover, for Cloudflare’s activity to qualify as contributory copyright infringement, Cloudflare would have to be in a position to “control the actions of the direct infringer, and/or be shown to receive or have received “direct financial benefit from the illegal infringement.” As a web security services provider, neither of these conditions are met, and Cloudflare’s assertion is that the company is therefore not guilty of contributory infringement as alleged.
In its argument to the court, Cloudflare explained that it was “nothing like the search engines and peer-to-peer networks that the [U.S. Court of Appeals for the] Ninth Circuit has found “significantly magnify otherwise immaterial infringements.” This is a crucial point, as it clearly defines the legal binding line that informs the determination of possible liability in contributory infringement cases: “Whereas Cloudflare’s services protect against malicious attacks and at most confer a split-second advantage to the loading time of a website someone is already visiting, the services previously considered by the Ninth Circuit actually helped visitors find infringing material they otherwise never would have found.” In other words, Cloudflare argued that its services, because they only enhance the performance of a website, do not contribute to the discovery or promotion of the website, and therefore cannot be held liable for the site’s activities in the same way that a search engine or digital advertising service should. Again, this is clearly outlined by the DMCA’s Section 512. Coudflare’s attorneys could have probably just pointed to it for the court, and that would have been enough to win the case.
The company also argued “There also is no ‘simple measure’ that Cloudflare failed to take to prevent further infringements in this case. Unlike hosting providers, Cloudflare could not remove allegedly infringing material from the Internet, and there is no question that those images would have remained available and equally accessible on the accused websites without Cloudflare’s services.” Once again, Cloudflare leaned on the DMCA to establish that, unlike hosting services, it is neither liable nor responsible for copyright infringements on the internet by its clients, as it does not host or cache their content.
The segmentation of the web services stack that Cloudflare presented in its defense forms the basis for the varying degrees of potential liability that, together, inform the current legal framework, outlined in the DMCA, which it asked the Court to uphold, and that is precisely what the Court did.
Per Judge Vince Chhabria, “a defendant is liable for contributory copyright infringement [only] if it has knowledge of another’s infringement and materially contributes to or induces that infringement.” The issue of material contribution is pivotal, as he explained with his next point: “Simply providing services to a copyright infringer does not qualify as a ‘material contribution. Rather, liability in the Internet context follows where a party ‘facilitate[s] access’ to infringing websites in such a way that ‘significantly magnif[ies]’ the underlying infringement.”
Judge Chhabria noted in his comments that, as the Ninth Circuit has already stated, the legal language that frames cases of contributory copyright infringement can be dangerously broad, and that therefore, much care must be placed on establishing the correct context for each one. In my view, one of the more understated aspects of his ruling, was a simple litmus test to determine if a service provider is liable: Did it provide, as the Judge put it, “an essential step in the infringement process?” Emphasis on “essential.”
This test also forms the dividing line for liability for this type of case.
How This Ruling Helps Frame Liability and Exemption from Liability for Web Services Providers
In Chhabria’s own words: “The “plaintiffs have not presented evidence from which a jury could conclude that Cloudflare’s performance-improvement services materially contribute to copyright infringement. […] The plaintiffs did not prove that the faster website-load times enabled by Cloudflare “would be likely to lead to significantly more infringement.” Additionally, Cloudflare removing infringing material from its cache would not prevent users from seeing the copyrighted images. Removing material from a cache without removing it from the hosting server would not prevent the direct infringement from occurring.”
And there it is: The entire legal framework separating liable web services providers from those that find themselves safe from liability.
The Judge also rejected the plaintiffs’ argument that Cloudflare’s security services, which help detect suspicious traffic and actively prevent attacks on website hosting services, represents a material contribution to infringement, saying: “Cloudflare’s security services also do not materially contribute to infringement. From the perspective of a user accessing the infringing websites, these services make no difference. Cloudflare’s security services do impact the ability of third parties to identify a website’s hosting provider and the IP address of the server on which it resides.”
He did, however, offer an interesting caveat that is worth being aware of: “If Cloudflare’s provision of these services made it more difficult for a third party to report incidents of infringement to the web host as part of an effort to get the underlying content taken down, perhaps it could be liable for contributory infringement. But here, the parties agree that Cloudflare informs complainants of the identity of the host in response to receiving a copyright complaint, in addition to forwarding the complaint along to the host provider.”
In short, Judge Chhabria’s ruling helped clarify where the dividing line falls between web services providers that can be held liable in court in cases of copyright infringement and those that should not. And while this specific case involved dressmakers, the same legal logic applies equally to other forms of intellectual property infringement cases, which can range from copyrighted content and trademarked products to patented inventions and licensed technology products. I note that while the DMCA provides a clear and fair framework for digital copyright infringement protections, liability, and remediation, lawsuits like this one will continue to challenge, or outright ignore, it in court, or at the very least carve out new exceptions that could serve as a beachhead for more potentially damaging action. Federal courts will hopefully continue to serve as guardians of the DMCA and other IP protections, but as we saw not so long ago in Qualcomm’s antitrust victory against the FTC, even federal judges can sometimes get simple cases wrong, with potentially dire circumstances
If nothing else, this case highlights the degree to which combating intellectual property infringements across international lines, and particularly when the offending parties operate out of China, can feel like an impossible task for IP owners based outside of China. This can be true whether they are dressmakers, software developers, or chipmakers.
One glimmer of hope lies in the possibility that China’s recent focus on beefing up its internal antitrust enforcement might bleed over into stronger enforcement of IP infringements inside China. Here is why: As China works to build its regulatory agencies’ credibility over the next few years, in order to presumably take a leadership role in global antitrust and adjacent regulatory fronts, it is possible, and even likely, that China will crack down on copyright infringers, including counterfeiters, with more consistency than it has in the past. On that front, only time will tell.
In the meantime, I expect that technology services providers, from cloud companies and ISPs to secondary services providers, will continue to find themselves not only defending themselves in court over IP infringement disputes, but also defending the established legal framework that delineates liability from indemnity in the technology sector when it comes to IP protections. Cases like this one, however, may help dissuade potential plaintiffs from targeting technology companies explicitly protected by DMCA provisions.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.