Legal Analysis of the “Admiral” Anti-Adblocker DMCA Incident
The Story So Far
A company called Admiral makes ad-blocker-blocker technology.
This company argues that that ad-blocker-blocker-technology constitutes an “effective measure” to control access to a copyrighted work within the meaning of 17 USC 1201 (DMCA 1201, the chapter banning “anti-circumvention” technology).
A domain name used by this company as part of its ad-blocker-blocker technology is added to Easylist, the default blacklist used by Adblock Plus. This list is hosted on GitHub.
Admiral complains to GitHub using their DMCA complaint procedure.
GitHub forwards the complaint to the Easylist maintainer.
The Easylist maintainer agrees (under the implied threat of having the repository shut down) to remove the database entry from the repository, which is a single line naming a domain name.
This becomes a news story and people start talking about it.
Admiral defends its actions.
Other coverage: HN
The Law
17 USC 512 (DMCA 512) provides for a variety of cases in which certain entities are immune from liability for copyright infringement.
This includes
17 USC 512(a), which provides immunity for the ISPs through which infringing material may flow.
17 USC 512(b), which provides immunity for intermediary web caches which may cache infringing material automatically.
17 USC 512(c), which provides immunity for “information residing on systems or networks at direction of users”. This is the “YouTube exception”, and the clause applicable to GitHub and its activities.
17 USC 512(c) provides a “notice and takedown” system. In order to claim the immunity from liability offered by 17 USC 512(c), a party must, amongst other things, process “DMCA notices” and take down material when they receive a notice.
The concept of a "DMCA notice” does not exist or apply for any section of the DMCA other than 17 USC 512(c).
This means that:
Sending a DMCA notice to an entity which is not a 17 USC 512(c) entity, such as an ISP, in regard of traffic routed through it is legally meaningless, and;
Sending a DMCA notice in regard of something other than copyright infringement is legally meaningless.
17 USC 1201 (DMCA 1201) prohibits the “circumvention of technological measures”, or providing “any technology, product, service, device, component, or part thereof” primarily designed for that purpose.
Essentially, this clause bans breaking DRM and bans distributing tools to break DRM.
Violation of this clause may result in civil and criminal penalties, but this crime is not copyright infringement; it is, in fact, a wholly separate cause of action ("violating section 1201 or 1202”).
Because the violation of 17 USC 1201 is not a mode of “copyright infringement”, the specific exemptions from liability provided by 17 USC 512 do not apply.
As such, the 17 USC 512(c) notice and takedown system is wholly inapplicable to alleged 17 USC 1201 violations. The concept of a “DMCA notice” in regard to alleged 17 USC 1201 violations is legally meaningless, and equivalent to simply sending a letter of complaint complaining about the alleged violations of 17 USC 1201 and making no reference to the concept of a "DMCA notice” whatsoever. Likewise, no section of the law places obligations on an entity such as GitHub to take action having received such a complaint.
47 USC 230 (CDA 230) states that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider”.
In practice, this means that ISPs and perhaps also websites are not liable for the content they carry. However, 47 USC 230 also expressly states that, amongst other things, laws relating to intellectual property are exempted.
Importantly, this exemption does not state that it applies to “copyright infringement”; it states that it applies to any intellectual property law.
Because of this, 47 USC 230 and 17 USC 512 are commonly considered together, insofar that they complement one another; 47 USC 230 provides immunity for almost everything other than intellectual property, and 17 USC 512 provides immunity (providing certain conditions are met) for copyright infringement.
However, the set of civil torts and criminal offences in the category of “intellectual property” is far larger than solely “copyright infringement”, even if we put aside patent and trademark law. Because violation of 17 USC 1201 is not “copyright infringement”, but a wholly separate type of violation within the domain of intellectual property law, neither 47 USC 230 nor 17 USC 512 applies.
The consequence of this is that where 17 USC 1201 is violated, an intermediary such as an ISP or website will not be able to defend themselves via 17 USC 512, or possibly at all. This is a massive gap in US copyright law and creates a potentially alarming liability time bomb for websites hosting user-generated content — a liability which few have yet noticed.
The civil and criminal penalties for violations of 17 USC 1201 are conditional on that violation being both “wilful” and “for purposes of commercial advantage or private financial gain”. The “wilful” requirement is probably the strongest defence here; you could make an argument that if GitHub was informed of a violation of 17 USC 1201 on its service and then took it down as soon as it became aware of it, then said violation was not wilful; and likewise, if it was made aware of it and did nothing, said violation could be deemed wilful from that point onwards.
How The Complaint Was Made
GitHub has a page called “Guide to Submitting a DMCA Takedown Notice”. This page focuses overwhelmingly on copyright infringement issues. It casually mentions that code may violate 17 USC 1201, but doesn't mention how such cases should be brought to GitHub's attention.
Upon choosing to proceed to send a complaint to GitHub, it offers only the choice of sending a “DMCA takedown notice” or a “DMCA counter notice”, neither of which are applicable to 17 USC 1201 or violations of it.
If one chooses to send a “DMCA takedown notice” anyway, the template e. mail provided makes countless references to copyright infringement, and none at all to 17 USC 1201.
Admiral have now published a blog post defending their actions, which includes a copy of the complaint they sent to GitHub using their template e. mail for “DMCA takedown notices”.
The e. mail which was sent was modified from the template by changing references to copyright, copyright owners and copyright infringement in the questions in the template, below which the complainant is expected to write responses, to also reference 17 USC 1201.
For example, GitHub's e. mail template asks:
Are you the copyright owner or authorized to act on the copyright owner's behalf?But Admiral's e. mail changed the question to this:
Are you the copyright owner, 17 USC 1201-1203 injured person or authorized to act on the copyright owner's behalf?Essentially GitHub did not have a useable process for reporting 17 USC 1201 violations to them, so Admiral made one up by adapting their DMCA notice form, and GitHub accepted it.
Admiral's e. mail also includes the following, also adapted from GitHub's boilerplate to reference 17 USC 1201:
I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, the 17 USC 1201-1203 injured person or the law. I have taken fair use into consideration.This is nonsensical for several reasons:
Reference to “Copyrighted Materials”. Firstly, whether something violates 17 USC 1201 has nothing to do with whether that thing is copyrighted or not. If Easylist were to be public domain it would be irrelevant. Implying that the materials at the URL to be taken down are copyrighted is irrelevant to the substance of the complaint, does not assist the complaint and could in some circumstances be inaccurate.
No Power To Authorize. Secondly, the above text talks about whether the materials are “authorized by [...] the 17 USC 1201-1203 injured person”. This is also legally meaningless because no particular entity has the power to authorize the trafficking in technology violating 17 USC 1201. Unlike copyright, the infringement of which is determined by whether certain actions were authorised by the copyright holder, the illegality of technology under 17 USC 1201(2) is determined by three factors, none of which have to do with a specific copyright holder or party injured under 17 USC 1201.
Although one of those factors is whether a technology is “primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title”, and “circumvent a technological measure” is subsequently defined as “to [...] otherwise avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner”, a close reading indicates that this does not afford discretion to a given copyright holder injured by a violation of 17 USC 1201 on a transactional, per-violation basis.
Rather, it is the fact that technology under 17 USC 1201, in general, is primarily designed for the purpose of doing things without the authority of the copyright holder for any given copyrighted material at hand, which makes it prohibited. The trafficking of any given technology does not change from violating 17 USC 1201 to not violating 17 USC 1201 and vice versa constantly as different entities potentially injured by violations of 17 USC 1201 claim to authorize or not authorize said trafficking. Rather, whether a technology violates 17 USC 1201 is based on an assessment of its primarily designed purpose, independent of any specific case or injured party.
In this regard it makes no sense for the e. mail to state whether the material was authorised by “the 17 USC 1201-1203 injured person”, because the consent of the injured is not a factor in whether 17 USC 1201 was violated, just as a murder does not become legal because its victim consented; the law does not confer such powers upon the injured party, neither in the case of homicide nor in the case of violations of 17 USC 1201. And more generally, a given violation of the law can create multiple injured parties, and the opinion of no one injured party holds more weight than any other.
None of this, of course, precludes an entity from excercising their discretion in deciding whether to complain about a potential violation of 17 USC 1201 or not. But this is a separate dimension from whether a technology is “authorized”.
If we accept the rather absurd claim that an entry in a database can constitute a violation of 17 USC 1201, could there be more than one party injured by this? Probably — not only Admiral but also its customers, who rely on its technology in some hopeless effort to prevent the use of adblockers (and, under Admiral's theory, invoke 17 USC 1201 to control access to their copyrighted materials). In this regard it's strange for Admiral to present itself as having the power, by virtue of the issuance or non-issuance of an authorization from it, to control whether a technology violates 17 USC 1201 or not.
Interlude
Conclusions so far:
There is a hole in US law regarding immunity for intermediaries against intellectual property law violations other than for copyright infringement specifically, created by the fact that the “Intellectual Property”-shaped hole in the otherwise broad 47 USC 230 immunity is much larger than the narrow immunities for “copyright infringement” granted by 17 USC 512.
GitHub does not have a proper process for making it aware of alleged intellectual property-related law violations other than those for which 17 USC 512(c) is applicable. This undermines transparency and GitHub should rectify it.
Admiral has for some reason tried to misrepresent their complaint as a complaint brought under 17 USC 512(c), even though that section is inapplicable and their complaint's potential validity would remain without such representations. They have also insinuated that their authorization determines whether 17 USC 1201 is violated, which is not the case.
GitHub has accepted the claim of a 17 USC 1201 violation at face value and demanded it be rectified. Regardless of the validity of this claim, GitHub has pressured the project to remove this database entry, and the project has complied.
What if a counternotice was sent?
17 USC 512(c) provides for takedown notices, but also provides for counternotices. Essentially, if a user uploads content to a website and another party then sends a takedown notice pursuant to 17 USC 512(c), the website must take the content down promptly to retain their exemption from liability.
If the original uploader finds this notice to have been sent in error, however, they may send a counternotice to the website. The user must identify themselves in this counternotice and the counternotice thus constitutes a notice to the effect of “if you've got a problem with this, sue me, not the website”. After no less than 10 days (!) from receipt of the counternotice, the website may restore the content which was taken down.
As was made clear above, 17 USC 512(c) is inapplicable to this complaint, but GitHub has processed it as though it is a complaint pursuant to that section. Necessarily therefore, the counternotice provisions under 17 USC 512(c) are equally inapplicable — but one wonders what GitHub would do if it received an e. mail purporting to be a counternotice in just the same way that the original e. mail purported to be a takedown notice within the meaning of 17 USC 512(c).
On the one hand, the fact that GitHub has processed the complaint in a 17 USC 512(c)-like manner suggests that they are trying to stick to what they know with their 17 USC 512(c) process, even though the complaint actually regards 17 USC 1201. If this is the case, they might continue to try and stick to what they know and agree to process an e. mail purporting to be a counternotice.
On the other hand, GitHub's processing of such a counternotice in a 17 USC 512(c)-like way, because 17 USC 512(c) is not actually applicable, would not actually confer upon it any immunity. If it thereafter allowed the potential 17 USC 1201 violation to continue to be hosted on its service, it would be hard to argue that it was not hosting such material “wilfully”. In this regard, GitHub could, by trying to pretend that 17 USC 512(c) and the procedures it proscribes are applicable, accidentally confer liability upon itself by agreeing to republish material in violation of 17 USC 1201, if it were indeed the case that the database entry in question is such a violation.
Is the database entry a violation of 17 USC 1201?
I don't know.
That said, it seems like a stretch. What Easylist publishes is a list of domain names and URL patterns. This is not so different from publishing a list of companies which one argues one shouldn't do business with for one ethical reason or another. Since this dispute is taking place in the US and under US law, the 1st Amendment may also provide relevant protections.
If 17 USC 1201 is found to be applicable, however, it would hardly be the first time this ill-advised law has threatened to have baleful overreach.
But I will leave the more detailed considerations about the claim of 17 USC 1201 violation to people more qualified to evaluate the issue.
Disclaimer: I am not a lawyer and nothing in this document is legal advice.