If you haven’t been following the ongoing developments emerging from the demise of Grooveshark, the story has only gotten more interesting. As the RIAA and major record labels have struggled to shut down infringing content on Grooveshark’s site (and now its copycats), groups like EFF would have us believe that the entire Internet was at stake — even in the face of a fairly marginal victory by the recording industry. In the most recent episode, the issuance of a TRO against CloudFlare — a CDN service provider for the copycat versions of Grooveshark — has sparked much controversy. Ironically for CloudFlare, however, its efforts to evade compliance with the TRO may well have opened it up to far more significant infringement liability.
In response to Grooveshark’s shutdown in April, copycat sites began springing up. Initially, the record labels played a game of whac-a-mole as the copycats hopped from server to server within the United States. Ultimately the copycats settled on grooveshark.li, using a host and registrar outside of the country, as well as anonymized services that made direct action against the actual parties next to impossible. Instead of continuing the futile chase, the plaintiffs decided to address the problem more strategically.
High volume web sites like Grooveshark frequently depend upon third party providers to optimize their media streaming and related needs. In this case, the copycats relied upon the services of CloudFlare to provide DNS hosting and a content delivery network (“CDN”). Failing to thwart Grooveshark through direct action alone, the plaintiffs sought and were granted a TRO against certain third-parties, eventually served on CloudFlare, hoping to staunch the flow of infringing content by temporarily enjoining the ancillary activities that enabled the pirates to continue operations.
CloudFlare refused to comply with the TRO, claiming the TRO didn’t apply to it (for reasons discussed below). The court disagreed, however, and found that CloudFlare was, in fact, bound by the TRO.
Unsurprisingly the copyright scolds came out strongly against the TRO and its application to CloudFlare, claiming that
Copyright holders should not be allowed to blanket infrastructure companies with blocking requests, co-opting them into becoming private trademark and copyright police.
Devlin Hartline wrote an excellent analysis of the court’s decision that the TRO was properly applied to CloudFlare, concluding that it was neither improper nor problematic. In sum, as Hartline discusses, the court found that CloudFlare was indeed engaged in “active concert and participation” and was, therefore, properly subject to a TRO under FRCP 65 that would prevent it from further enabling the copycats to run their service.
Hartline’s analysis is spot-on, but we think it important to clarify and amplify his analysis in a way that, we believe, actually provides insight into a much larger problem for CloudFlare.
As Hartline states,
This TRO wasn’t about the “world at large,” and it wasn’t about turning the companies that provide internet infrastructure into the “trademark and copyright police.” It was about CloudFlare knowingly helping the enjoined defendants to continue violating the plaintiffs’ intellectual property rights.
Importantly, the issuance of the TRO turned in part on whether the plaintiffs were likely to succeed on the merits — which is to say that the copycats could in fact be liable for copyright infringement. Further, the initial TRO became a preliminary injunction before the final TRO hearing because the copycats failed to show up to defend themselves. Thus, CloudFlare was potentially exposing itself to a claim of contributory infringement, possibly from the time it was notified of the infringing activity by the RIAA. This is so because a claim of contributory liability would require that CloudFlare “knowingly” contributed to the infringement. Here there was actual knowledge upon issuance of the TRO (if not before).
However, had CloudFlare gone along with the proceedings and complied with the court’s order in good faith, § 512 of the Digital Millennium Copyright Act (DMCA) would have provided a safe harbor. Nevertheless, following from CloudFlare’s actual behavior, the company does now have a lot more to fear than a mere TRO.
Although we don’t have the full technical details of how CloudFlare’s service operates, we can make some fair assumptions. Most importantly, in order to optimize the content it serves, a CDN would necessarily have to store that content at some point as part of an optimizing cache scheme. Under the terms of the DMCA, an online service provider (OSP) that engages in caching of online content will be immune from liability, subject to certain conditions. The most important condition relevant here is that, in order to qualify for the safe harbor, the OSP must “expeditiously  remove, or disable access to, the material that is claimed to be infringing upon notification of claimed infringement[.]”
Here, not only had CloudFlare been informed by the plaintiffs that it was storing infringing content, but a district court had gone so far as to grant a TRO against CloudFlare’s serving of said content. It certainly seems plausible to view CloudFlare as acting outside the scope of the DMCA safe harbor once it refused to disable access to the infringing content after the plaintiffs contacted it, but certainly once the TRO was deemed to apply to it.
To underscore this point, CloudFlare’s arguments during the TRO proceedings essentially admitted to knowledge that infringing material was flowing through its CDN. CloudFlare focused its defense on the fact that it was not an active participant in the infringing activity, but was merely a passive network through which the copycats’ content was flowing. Moreover, CloudFlare argued that
Even if [it]—and every company in the world that provides similar services—took proactive steps to identify and block the Defendants, the website would remain up and running at its current domain name.
But while this argument may make some logical sense from the perspective of a party resisting an injunction, it amounts to a very big admission in terms of a possible infringement case — particularly given CloudFlare’s obstinance in refusing to help the plaintiffs shut down the infringing sites.
As noted above, CloudFlare had an affirmative duty to to at least suspend access to infringing material once it was aware of the infringement (and, of course, even more so once it received the TRO). Instead, CloudFlare relied upon its “impossibility” argument against complying with the TRO based on the claim that enjoining CloudFlare would be futile in thwarting the infringement of others. CloudFlare does appear to have since complied with the TRO (which is now a preliminary injunction), but the compliance does not change a very crucial fact: knowledge of the infringement on CloudFlare’s part existed before the preliminary injunction took effect, while CloudFlare resisted the initial TRO as well as RIAA’s efforts to secure compliance.
Phrased another way, CloudFlare became an infringer by virtue of having cached copyrighted content and been given notice of that content. However, in its view, merely removing CloudFlare’s storage of that copyrighted content would have done nothing to prevent other networks from also storing the copyrighted content, and therefore it should not be enjoined from its infringing behavior. This essentially amounts to an admission of knowledge of infringing content being stored in its network.
It would be hard to believe that CloudFlare’s counsel failed to advise it to consider the contributory infringement issues that could arise from its conduct prior to and during the TRO proceedings. Thus CloudFlare’s position is somewhat perplexing, particularly once the case became a TRO proceeding. CloudFlare could perhaps have made technical arguments against the TRO in an attempt to demonstrate to its customers that it didn’t automatically shut down services at the behest of the RIAA. It could have done this in good faith, and without the full-throated “impossibility” argument that could very plausibly draw them into infringement litigation. But whatever CloudFlare thought it was gaining in taking a “moral” stance on behalf of OSPs everywhere with its “impossibility” argument, it may well have ended up costing itself much more.