14 strikes and you’re out. Or not. Emails reveal how Cox lost Safe Harbor

Analysis We now know why US cable ISP Cox Communications lost the "safe harbor" DMCA liability protection afforded to those who disconnect high volume P2P file sharers.

It appears to be down to its failure to take infringement notices sufficiently seriously, a US court has ruled.

Last week in an East Virginia court, a judge stripped Cox of its protection, in a case bought by music publishers BMG Rights Management and its copyright cop, Rightscorp Inc. Cox has already lost legal support from insurer Lloyds over the loss of protection.

Judge Liam O'Grady's memorandum explaining his decision, which the court finally published yesterday, contained internal emails which he said suggested that Cox wasn't taking its legal obligation, or public statements seriously enough.

The memorandum described how, at the end of a 14-step process, a Cox subscriber who had been ostensibly kicked off for "infringement" could sign up for services again, and have their "infringement" count reset to 0.

The decision is likely to inspire a flood of "sky is falling" anxiety from technology companies and anti-copyright activist groups. In fact, once the smoke clears, the decision is unlikely to change the landscape in the US much, if at all ... provided ISPs that do what they publicly say they already do.

If ISPs have an effective policy to kick out repeat copyright infringers – and by US law, they must – then nothing has changed. One of Cox's potential defences failed in this case because while it publicly stated that it had such a policy, the judge decided it was ineffective. The ruling means they must act on it.

Here's why almost all subscribers of US ISPs and the ISPs themselves, don't need to panic.

As we explained yesterday, ISPs enjoy protection from incurring huge damages in copyright infringement cases, in the form of limited liabilities, but only if they fulfil certain criteria.

They need to be registered, and have a policy of dealing with "repeat infringers". Repeat isn't defined by law, and will be clarified if BMG v Cox goes to full trial, which is set for tomorrow.

Major ISPs have signed up to a voluntary programme to deal with serial offenders (the "Six Strikes" Copyright Alert System), but Cox didn't. It argued its own graduated response for dealing with repeat infringers was good enough to fulfil its DMCA "Safe Harbor" obligations.

But we learn a lot from the hitherto confidential emails between Cox staff. These emails convinced the judge that that Cox staff weren't dealing effectively with infringers who downloaded tens of thousands of files on Cox's network via BitTorrent.

According to the memorandum and the emails attached, Cox's system of responding to notifications (CATS) worked on a 180-day cycle. The first seven complaints triggered emails to the subscriber. The eighth placed the subscriber in a sin bin, which Cox called a "soft-walled garden". They could only receive a single web page containing a warning message.

But, according to the memorandum, they could self-reactivate the service by clicking a button, having promised to delete the infringing files they downloaded. The eight, ninth, tenth and eleventh warnings required the subscriber to make a phone call. Only by the fourteenth warning would Cox consider disconnecting the torrenter.

O'Grady writes that before 2012, Cox might have allowed a serial infringer account to be reactivated.

[i] The record conclusively establishes that before the fall of 2012 Cox did not implement its repeat infringer policy. Instead, Cox publicly purported to comply with its policy, while privately disparaging and intentionally circumventing the DMCA’s requirements.

Cox employees followed an unwritten policy put in place by senior members of Cox’s abuse group by which accounts used to repeatedly infringe copyrights would be nominally terminated, only to be reactivated upon request.

Once these accounts were reactivated, customers were given clean slates, meaning the next notice of infringement Cox received linked to those accounts would be considered the first in Cox’s graduate response procedure.

One email from Cox's abuse manager to staff informed them: "With this in mind if a customer is terminated for DMCA, you are able to reactivate them after you give them a stern warning about violating our AUP and the DMCA. We must still terminate in order for us to be in compliance with safe harbor but once termination is complete, we have fulfilled our obligation."

Cox charmingly referred to subscribers as "RGUs", or revenue generating units.

"... it is important to try and balance the needs of the company with the protection of the network. DMCA does not hurt the network like DOS attack, spam or hacking. It is not something we advertise however," the abuse manager admitted.

In another email he explained:

This way, we can collect a few extra weeks of payments for their account. ;-)

And another time, faced with what his staff described as "a habitual abuser", the abuse manager replied:

“It is fine. We need the customers.”

Cox was actually terminating abusers. It averaged 15.5 disconnections per month at one stage, then just 22 in the 26 months to November 2014 (when BMG filed the suit). Seventeen of the 22 were failure to pay bills – not for infringement.

This coincided with the introduction of the Copyright Alert System, which Cox's rival ISPs had agreed to sign up to.

While O'Grady explains that the disconnection numbers alone don't provide a legal standard concerning Cox's legal obligations, when all the evidence is considered, he had to make the decision he did.

The law

Once DMCA's safe harbor protection has been removed, there's little protection for individuals engaging in direct, contributory or vicarious copyright infringement, if they know what's going on, and have a chance to prevent it.

The full trial is due to begin tomorrow. Read The Memorandum (314kb, PDF). ®

Bootnotes

BMG Rights Management is owned by Bertelsmann, not by Sony BMG as we erroneously stated yesterday. The two parent companies, Cox and Bertelsmann, are roughly the same size. Not that it matters.

In case you're wondering, US law distinguishes between different kinds of internet companies in its implementation of Safe Harbor, with an ISP falling under 17/Section 512(a) in the DMCA. YouTube falls under 512(c), so what happens in BMG v Cox isn't in US law relevant to YouTube and other services that store a user's content.