http://ipkitten.blogspot.com/2024/02/cloudflare-liable-for-copyright.html
After the German Supreme Court set a high bar for obtaining a website blocking order against Internet service providers in DNS-Sperre (IPKat here), the Higher Regional Court of Cologne dealt with the question whether the provider of DNS resolver and CDN services can be liable for copyright infringement if it provides its services to the operators of websites with illegal content.
DNS means ‘domain name system’. Every domain has a unique Internet Protocol (‘IP’) address, consisting of four numbers. Since it is not very practical to remember such numbers, domain names such as https://ipkitten.blogspot.com/ were introduced. The job of a DNS resolver service is to connect the domain name with the IP address. A more detailed description can be found here.
CDN means ‘content delivery network’. It is a network of servers that are distributed globally. It caches a website’s content on servers close to the end users, which increases the performance of the website. A more detailed description can be found here.
Background
The plaintiff owned the recording rights to the songs of German musician Sarah Connor. The website ddl-music.to provided a download link to one of her music albums without hosting the album itself. Cloudflare provided DNS resolver and CDN services to the operator of ddl-music.to.
The plaintiff sued Cloudflare for copyright infringement. The District Court held Cloudflare liable on account of its DNS resolver and CDN services. Cloudflare appealed.
The Higher Regional Court’s decisions
The Higher Regional Court of Cologne partially upheld the appeal (case 6 U 149/22).
It found that Cloudflare was liable for copyright infringement due to
providing the CDN services but not for the DNS resolver services.
Copyright infringement on ddl-music.to
It
was obvious to the judges that the download links provided on
ddl-music.to infringed the plaintiff’s right under the German equivalent
of Art. 3(2)(b) InfoSoc Directive. According to GS Media (case C-160/15, IPKat here and here)
merely providing links to copyright infringing content constitutes
‘communication to the public’ if this is done for financial gain in
knowledge of the illegal nature of the publication of the protected
work.
ddl-music.to was considered to be an obviously infringing
website. It contained, according to its own statements, over one million
download links to the latest charts, albums and audiobooks.
Additionally, the website’s host provider BlueAngelHost stated on its
website:
Our servers are located in Offshore location
(Bulgaria) which enable us to offer DMCA Ignored Hosting services, total
privacy, data security, and wider range of accepted content.
and
“Why
You Need it?“:
Purchasing USA-based hosting for a site that is not
legal to be run in America is not a sensible thing to do. Offshore
hosting can be helpful for less scrupulous business who wish to bypass
local laws or regulations, particularly for issues like copyright law,
which is also known as no DMCA hosting.
After confirming the
unlawfulness of the link on ddl-music.to, the Court dealt with
Cloudflare’s liability as a service provider. The judges held that the
CJEU’s case law on the liability of host providers (YouTube and Cyando, cases C-682/18 and C-683/18, IPKat here) applied to other providers that play an ‘indispensable role’ within the meaning of the CJEU’s case law.
No liability for DNS resolver services
As
regards the DNS resolver services, the Court found that they did not
play an ‘indispensable role’ for the making available of Sarah Conner’s
music album.
Cloudflare’s DNS resolver was neither necessary to
find the IP address of ddl-music.to nor did it make the access easier.
Cloudflare’s DNS resolver is one of several freely available DNS
resolvers. The Court also considered that such services are merely
passive, automatic and neutral for the connection of domain
names and IP addresses. Therefore, the Court found that a DNS service
provider is comparable to an access provider. The latter’s liability
required not only a clear notice of an obvious infringement but also
that the plaintiff used best efforts to take action against the operator
of the website or other service providers which are closer to the
infringement (e.g. the host provider). Since the plaintiff did not show
that it was impossible or unpromising to take action against the website
operator or host provider, the conditions for liability were not met.
For the same reasons, the Court denied a website blocking order on the basis of the German transposition of Art. 8(3) of Directive 2001/29/EC.
Further, Cloudflare could rely on the domestic provision corresponding to Art. 12 E-Commerce Directive,
exempting service providers for the transmission of information from
liability. As of 17 February 2024, the DSA will partially amend the
E-Commerce Directive. The rules on liability exemptions and monitoring
obligations in Artt. 12 to 15 E-Commerce Directive will be replaced by Artt. 4, 5, 6 and 8 DSA (Art. 89 DSA). Therefore, the Higher Regional Court considered Recitals 28 and 29 DSA, which explicitly mention DNS resolvers and their exemption from liability (in particular under Art. 4 DSA, which is essentially identical to Art. 12 E-Commerce Directive). On that basis, the judges found that DNS service providers are covered by Art. 12 E-Commerce Directive.
Liability for CDN services
The Court held that Cloudflare’s CDN services played an ‘indispensable
role’ for making the copyright infringing content on ddl-music.to
available to the public. The website could only be accessed by using the
CDN.
An ‘indispensable role’ is a necessary but not a
sufficient condition for liability. Further criteria also spoke in
favour of Cloudflare’s significant contribution to the infringement:
- There is an inherent possibility to abuse Cloudflare’s services for illegal activities.
- Cloudflare temporarily saved parts of the website not only for the time that is necessary to transmit the data.
- Cloudflare also protected the website by controlling access to it.
- The IP address of the website was not visible. A Whois search only showed the IP address of Cloudflare.
- Cloudflare provided an abuse form but did not make the IP
addresses of its customers available even after reporting a website with
illegal content.
Cloudflare could not rely on the liability exemption of Art. 12 E-Commerce Directive because their CDN services were not limited to the mere transmission of communication. The Court also found that the exemption in Art. 13 E-Commerce Directive
regarding caching did not apply. According to Cloudflare’s terms and
conditions, it may store the customer’s website for more than a year,
which the judges did not consider temporary anymore. Further, the CDN
services’ purpose was not only to make the information’s onward
transmission more efficient but also to make it more secure. This
purpose is not covered by Art. 13 E-Commerce Directive.
Finally, Cloudflare’s terms and conditions allowed it to alter certain
information of their customer’s website in order to enhance the security
of the website or the functionality of their could services.
Modification of the information prevents the exemption from applying (Art. 13(1)(a) E-Commerce Directive).
Comment
It
seems questionable to argue that the DNS resolver services did not make
the access to the website easier. The IP addresses of infringing
websites are usually concealed, which makes finding (and therefore
accessing) them quite difficult. And why should it matter that
Cloudflare is not the only provider of DNS resolver services? Should
someone be absolved from liability just because someone else could
support the illegal activities?
Picture is by Klinko and used under the licensing terms of pixabay.com.
Content reproduced from The IPKat as permitted under the Creative Commons Licence (UK).