Tag: CloudFlare

Categories
Copyright Internet Uncategorized

CloudFlare’s Desperate New Strategy to Protect Pirate Sites

a gavel lying on a table in front of booksSan Francisco-based CloudFlare has earned a somewhat dubious reputation in the online world. Website owners can set up CloudFlare in just a few minutes, gaining the performance, security, and privacy benefits the service provides. Traffic routed through CloudFlare’s global content delivery network is cached for faster delivery times and protected from numerous online threats. Pirate sites have flocked to the service because it hides their true identities from copyright owners by default. And it probably doesn’t hurt that CloudFlare CEO Matthew Prince thinks that “censoring the Internet” is “creepy,” even “under a court order.”

Prince practices what he preaches, and CloudFlare has been all-too-ready to lend a helping hand to even the most notorious pirates. When The Pirate Bay rose from the ashes in early 2015, CloudFlare provided the site with services that helped manage its massive server loads. CloudFlare’s encryption technology even made it easy for users in the UK to circumvent the High Court’s ban ordering ISPs to block the pirate site. Amazingly, The Pirate Bay is now back in the United States, using its original thepiratebay.org Virginia-based domain and benefiting from CloudFlare’s robust services to make its criminal enterprise run smoothly worldwide.

Of course, the only reason CloudFlare can get away with supporting the world’s most-visited torrent site is because the DMCA is such a mess. Courts have set the bar so high that CloudFlare wouldn’t likely be found to have red flag knowledge of the massive amounts of infringement it certainly knows its service enables for globally-infamous criminal infringers like The Pirate Bay. Rather than taking the high road and refusing to work with obvious pirate sites, CloudFlare lawyers up when pushed and denies the supportive role that its service provides.

We saw this last year in the Grooveshark case. After the original Grooveshark site was found liable for willful infringement and agreed to shut down, copycat sites sprung up at different top-level domains such as grooveshark.io and grooveshark.pw. The plaintiffs obtained a temporary restraining order against the copycats, which registrars Namecheap and Dynadot promptly complied with by disabling some of the domains. But when the plaintiffs asked CloudFlare to stop providing services to some of the other copycats, they were met with firm resistance. The plaintiffs had to turn to the court for an order clarifying that the injunction against the copycat sites prevented CloudFlare from providing them services.

With the backing of the Electronic Frontier Foundation, CloudFlare put up a big fight. It denied that it was in “active concert or participation” with the copycats, which under Rule 65 would have made it bound by their existing injunction. CloudFlare argued that its services were merely passive and that the domains would still remain accessible even if its services were cut off. The district court rejected CloudFlare’s self-serving arguments, noting that it was in fact aiding and abetting the copycat sites by operating their authoritative domain name servers and optimizing their traffic worldwide. Since CloudFlare had actual notice of the injunction and was in “active concert or participation” with the enjoined copycats, it was also bound by their injunction under Rule 65.

Hit with what must have been the eye-opening reality that, under penalty of contempt, it couldn’t knowingly help its enjoined customer engage in the very wrong the court had ordered it to stop committing, one might think that CloudFlare would have become more respectful of court orders involving its customers. However, as recent developments in the MP3Skull case show, CloudFlare has decided to again take the low road in shirking its responsibility to the court. And its argument here as to why it’s beyond the court’s reach is even more desperate than before.

In April of 2015, several record label plaintiffs sued MP3Skull for copyright infringement, easily obtaining a default judgment when the defendants failed to respond to the suit. Earlier this year, the plaintiffs were granted a permanent injunction, which the defendants quickly flouted by setting up shop under several different top-level domains. Naturally, the common denominator of these multiple MP3Skull sites was that they used CloudFlare. The plaintiffs’ lawyers sent a copy of the injunction against the pirate sites to CloudFlare, asking it to honor the injunction and stop supplying services to the enjoined domains. But, as with Grooveshark, CloudFlare again refused to comply.

The record label plaintiffs have now gone back to the district court, filing a motion requesting clarification that CloudFlare is bound by the injunction against the MP3Skull sites. They argue that the “law is clear that CloudFlare’s continued provision of services to Defendants, with full knowledge of this Court’s Order, renders CloudFlare ‘in active concert or participation’ with Defendants,” and they point to the opinion in the Grooveshark case in support. According to the plaintiffs, the only issue is whether CloudFlare is aiding and abetting the enjoined defendants by providing them services.

CloudFlare opposes the motion, though it noticeably doesn’t deny that it’s in “active concert or participation” with the enjoined defendants. Instead, CloudFlare argues that, since this is a copyright case, any injunction against it must comply with the DMCA:

Section 512(j) prescribes specific standards and procedures for injunctions against service providers like CloudFlare in copyright cases. It places strict limits on injunctions against eligible service providers. 17 U.S.C. § 512(j)(1). It specifies criteria that courts “shall consider” when evaluating a request for injunctive relief against a service provider. 17 U.S.C. § 512(j)(2). And it requires that a service provider have notice and an opportunity to appear, before a party may bind it with an injunction. 17 U.S.C. § 512(j)(3). Plaintiffs ignored those requirements entirely.

The gist of CloudFlare’s argument is that Section 512(j) controls injunctions against service providers like itself, notwithstanding the fact that Rule 65 binds those in “active concert or participation” with an enjoined party. In other words, CloudFlare says that the DMCA gives service providers unique immunity from having to obey court-issued injunctions under the Federal Rules—a remarkable claim requiring remarkable proof. And the case law cited to back up this claim? None. Zip. Nada. CloudFlare fails to produce one single cite showing that any injunctive-relief statute, whether copyright or otherwise, has ever been deemed to preempt the longstanding rule that it’s contempt of court to aid and abet an enjoined defendant. The desperation is palpable.

The reason the DMCA doesn’t apply to CloudFlare is obvious. Section 512(j) states that it “shall apply in the case of any application for an injunction under section 502 against a service provider” that qualifies for the safe harbors. CloudFlare goes on for pages about how it’s a service provider that would qualify for the safe harbor defense if given the chance, but all of this misses the point: CloudFlare is not being enjoined. The only service provider being enjoined is MP3Skull—and that injunction was issued under Section 502 without the limitations set forth in Section 512(j) because MP3Skull didn’t even bother to show up and attempt to claim the safe harbors. But the plaintiffs have not sought an injunction against CloudFlare, which they could only do by naming CloudFlare as a party to the suit.

Since CloudFlare itself isn’t being enjoined under Section 502, Section 512(j) provides it no limitations. The issue is simply whether, under the Federal Rules, CloudFlare is bound by the injunction that has already been issued against the MP3Skull sites. Perhaps not wanting to get bench-slapped again on the aiding and abetting question under Rule 65, CloudFlare is taking an even lower road with this desperate new argument that it’s magically immune to court orders against its customers under the Federal Rules. The district court has yet to rule on the plaintiffs’ motion, but my guess is that it will make short work in reminding CloudFlare of the court’s true power to hold aiders and abettors in contempt.

Categories
Copyright Infringement Internet Uncategorized

The Dangerous Combination of Content Theft and Malware

Cross-posted from the Mister Copyright blog.

circuit boardMalware, short for malicious software, has been used to infiltrate and contaminate computers since the early 1980s. But what began as relatively benign software designed to prank and annoy users has developed into a variety of hostile programs intended to hijack, steal, extort, and attack. Disguised software including computer viruses, worms, trojan horses, ransomware, spyware, adware, and other malicious programs have flooded the Internet, allowing online criminals to profit from illicit activity while inflicting enormous costs on businesses, governments and individual consumers.

Purveyors of malware target unsavory websites to embed and distribute their programs, often making deals with those in the business of disseminating stolen content. Content theft websites that appear online through legitimate hosting and content delivery systems are frequently riddled with devious malware that infect the computers of users looking to download or stream pirated music, movie and television shows.

Last week, the Digital Citizens Alliance (DCA) published a report detailing how US tech companies are allowing cyber criminals to use their services to perform a myriad of illegal exploits. Enabling Malware focuses on how stolen content is being used as bait to infect users’ computers and how domestic hosting and content delivery companies are permitting online criminals to profit from the spread of dangerous malware.

Employing the expertise of Internet security firm RiskIQ, the report found that 1 in 3 content theft websites expose users to infectious malware and that visitors are 28 times more likely to encounter malware on content theft sites than mainstream, legitimate websites. And although these nefarious websites are usually created and maintained by overseas operators, they rely on North America hosting companies to function.

It’s a tricky partnership because while the hosting companies are not breaking the law by allowing disreputable websites to make us of their services, they are facilitating criminal networks whose activities could have catastrophic consequences. The report likens these service companies to landlords who turn a blind eye to the illegal activity of a renter. The issue is the same one being examined by the Copyright Office in its DMCA 512 study: When does a service provider have the requisite knowledge of illicit activity to trigger a duty to address the problem?

But while Section 512 of the DMCA hopes to combat copyright infringement online, the introduction of malware to content theft sites has consequences more far-reaching and dire than the dissemination of stolen works. Once malware infiltrates a system and hackers are able to take over, the results can be disastrous. The report details a wide range of criminal activity that can result from malware infection including the theft of bank credentials and credit card information that is then subsequently sold online, locking computers and demanding ransoms to return access, and hijacking webcams to film users without consent. The report warns:

[T]hese companies are now contributing to a growing issue for Americans: the threat of computer infections, the rise of identity theft and loss of financial information. The U.S. Department of Justice reports that 16.2 million U.S. consumers have been victimized by identity theft, with financial losses totaling over $24.7 billion.

According to the study, one of the most notorious companies enabling the websites that spread malware is CloudFlare. Marketing itself as a global content protection and security service provider, CloudFlare actually conceals a website’s true hosting information, inserting their network information instead. This allows for notorious content theft websites to mask information related to their actual hosting companies, making it more difficult to identify those complicit in their illegal activity.

Employing CloudFlare’s services are websites like Putlockerr.io, which offers a wide array of pirated movies for download. But when a user attempts to watch a movie via Putlocker, they download more than pirated content. After a user clicks to watch a movie, they are redirected to a new site that prompts them to download a new video player in order to view the content. This download is in fact a mechanism to deliver the malware that will wreak havoc on their system.

One of the worst distributors of malware identified by RiskIQ was watchfreemoviesonline.top. According to the study, the websites malware exposure rate was 32 percent and baited users into downloading the infectious software by offering popular movies like Captain America: Civil War in advance of its theatrical release. Watchfreemoviesonline.top uses Hawk Host, a company offering services similar to CloudFlare, to hide information about their actual hosting affiliations.

The Digital Citizens Alliance contacted both CloudFlare and Hawk Host to inform them of the findings of the RiskIQ report, and received differing responses. After being presented with clear evidence of the shady and illegal activities of watchfreemoviesonline.top, Hawk Host acknowledged that the site violated their terms of service and told the DCA that the site would come down. Hawk Host also agreed to meet with DCA researches to further discuss the RiskIQ report.

Unfortunately, the DCA’s interaction with CloudFlare was not as encouraging. In response to an email informing the company of the findings of the RiskIQ report, CloudFlare responded with a vague comment disclaiming any responsibility for the content of their client websites.

In the past few years, there’s been progress among service companies’ accountability efforts, with many refusing to deal with criminal websites. Payment providers like PayPal and Visa have stopped permitting illicit websites to use their services, and online advertisers have vowed to stop dealing with infamous content theft sites. But in order to eradicate content theft sites and the malware they propagate, the companies that help veil their identities and enable criminal activity must be help accountable.

Categories
Uncategorized

The MovieTube Litigation: Who Needs SOPA?

Cross-posted from the Law Theories blog.

On July 24th, six major studios sued MovieTube for direct and indirect copyright infringement, trademark infringement, and unfair competition in the Southern District of New York. MovieTube is alleged to have operated twenty-nine foreign-based websites that streamed, displayed, and uploaded infringing copies of the studios’ copyrighted works. Not knowing the defendants’ true identities, the studios brought suit against the “John Does, Jane Does and/or XYZ Corporations” that allegedly operated the MovieTube sites. The district court allowed the studios to serve process on the defendants via email.

The remedies being sought by the studios have raised a few feathers. MovieTube operates out of Singapore, and the studios argue that it is “essential . . . that injunctive relief include orders directed at third parties whose services enable Defendants’ activities.” Since MovieTube relies on “domain name registries and other third-party service providers and their network of affiliates to carry out their activities,” the studios are seeking an order “requiring that: (i) registries and registrars disable the domain names used to operate the MovieTube Websites and (ii) third-party service providers cease providing services to the MovieTube Websites and Defendants in relation to the Infringing Copies.”

While some have suggested that the studios “didn’t get the memo that SOPA failed,” I think the real question is, “Who needs SOPA?” Everyone knows that SOPA never became law, and the studios haven’t brought any claims under SOPA. Moreover, even if SOPA were the law, it would make no difference here. SOPA would have only provided private rightholders with statutory remedies against a “payment network provider” or an “Internet advertising service.” Only actions brought by the Attorney General would qualify for statutory remedies against service providers such as registrars, registries, and search engines.

The studios instead argue that the court’s power to issue such orders comes from:

(i) 17 U.S.C. § 502, which allows a court to “grant temporary and final injunctions on such terms as it may deem reasonable to prevent or restrain infringement of a copyright;”

(ii) 15 U.S.C § 1116(a), which provides for an injunction “according to the principles of equity and upon such terms as the court may deem reasonable, to prevent the violation of any right of the registrant of a mark registered in the Patent and Trademark Office or to prevent a violation under subsection (a), (c), or (d) of section 43 [15 U.S.C. § 1125];”

(iii) Federal Rule of Civil Procedure 65(d)(2), which imbues courts with the power to issue injunctions that bind parties, parties’ officers, agents, servants, employees, and attorneys and any “other persons who are in active concert or participation with” any such individuals or entities;

(iv) the Court’s “inherent equitable power to issue provisional remedies ancillary to its authority to provide final equitable relief,” which encompasses injunctions as broad as restraining defendants’ assets to preserve them for disgorgement of profits and equitable accounting . . . and/or

(v) the Court’s power pursuant to 28 U.S.C. § 1651 (the All Writs Act) to issue all writs necessary or appropriate in aid of its jurisdiction and agreeable to the usages and principles of law.

The question is whether the court has the power under these authorities to issue an injunction against MovieTube that binds third-party service providers. SOPA has nothing to do with it.[1]

After the studios filed suit, the MovieTube defendants shut down their operations. Nonetheless, a group of tech giants, comprised of Google, Facebook, Tumblr, Twitter, and Yahoo, filed an amicus brief arguing that “the proposed injunction violates Federal Rule of Civil Procedure 65 and the safe-harbor provisions of the DMCA.” Specifically, the amici claim that an injunction against MovieTube couldn’t bind third parties such as themselves because Rule 65(d)(2) and Section 512(j) of the DMCA wouldn’t allow it.[2] I don’t think either of these two arguments holds much water, especially for service providers like these amici that link to or host infringing material.

Blockowicz and Rule 65(d)(2)

Rule 65(d)(2) provides that only three groups may be bound by an injunction:

(2) Persons Bound. The order binds only the following who receive actual notice of it by personal service or otherwise:

(A) the parties;

(B) the parties’ officers, agents, servants, employees, and attorneys; and

(C) other persons who are in active concert or participation with anyone described in Rule 65(d)(2)(A) or (B).

The amici argue that Rule 65(d)(2) can’t bind third parties like them since it cannot be shown that they are in “active concert or participation” with the MovieTube defendants. In support, they cite the Seventh Circuit’s decision in Blockowicz v. Williams. The issue there was whether nonparty Ripoff Report was bound by an injunction against some of its users that had posted defamatory material to its site. Ripoff Report conceded “actual notice” of the injunction, but it argued that it was not in “active concert” with its defaming users.

The Seventh Circuit agreed:

Actions that aid and abet in violating the injunction must occur after the injunction is imposed for the purposes of Rule 65(d)(2)(C), and certainly after the wrongdoing that led to the injunction occurred. This requirement is apparent from Rule 65(d)(2)’s text, which requires that nonparties have “actual notice” of the injunction. A non-party who engages in conduct before an injunction is imposed cannot have “actual notice” of the injunction at the time of their relevant conduct. . . .

Further, the [plaintiffs] presented no evidence that [Ripoff Report] took any action to aid or abet the defendants in violating the injunction after it was issued, either by enforcing the Terms of Service or in any other way. . . . [Ripoff Report’s] mere inactivity is simply inadequate to render them aiders and abettors in violating the injunction.

Thus, Ripoff Report was not in “active concert” with its users by simply continuing to host the defamatory material that had been posted to its site before the injunction was issued. The amici here claim that this same logic applies to them: “[E]ven if Plaintiffs had shown that the Neutral Service Providers rendered services to the Defendants, merely continuing to provide those services cannot amount to acting in concert.’”

Blockowicz is not binding precedent here, of course, but the district court could find it persuasive. I think it’s clear that the Seventh Circuit reached the wrong conclusion. The test is whether the third party has actual notice of the injunction and then aids and abets the enjoined defendant. It’s black letter law that anyone who publishes or republishes defaming material is strictly liable for the defamation. On the other hand, a distributor is not liable as a publisher unless it knows or has reason to know that the material is defamatory.

For example, a book publisher is strictly liable for publishing a defamatory book. A bookseller that sells that defamatory book is not liable for the defamation unless it knows the material is defamatory. If it learns of the defamatory nature of the book and then continues to sell it, the bookseller is considered a publisher and is liable for the defamation along with the book publisher. In other words, the passive book distributor becomes an active aider and abettor of the book publisher once it gains knowledge of the defamation and fails to stop selling the book.

Of course, this rule from the physical world does not apply when it’s done on the internet. Section 230(c)(1) of the Communications Decency Act provides: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” While the statute on its face only grants immunity to a “publisher,” courts have interpreted it broadly to apply to a “distributor” as well. As the Fourth Circuit put it in the leading case, “distributor liability. . . is merely a subset, or a species, of publisher liability, and is therefore also foreclosed by § 230.”

Section 230’s immunity for a publisher extends to a distributor with knowledge because that knowledge transforms the distributor into a publisher. The plaintiffs in Blockowicz could not go after Ripoff Report directly because Section 230 granted it immunity from civil liability. The reason it had such immunity was precisely because the knowledge of the defamation transformed it from a passive distributor to an active publisher. The plaintiffs instead went after the defamers directly, asking the court to bind Ripoff Report under Rule 65(d)(2). The Seventh Circuit’s refusal to stop Ripoff Report from aiding and abetting the enjoined defendants left the plaintiffs without a remedy—an absurd result.

Turning back to MovieTube, the amici claim that an injunction against the defendants could not bind them since they wouldn’t be aiding and abetting the defendants. This is simply not true. As with defamation, it’s black letter law that a service provider that knowingly provides material support to an infringer is contributorily liable for the infringement. In other words, the passive service provider becomes an active aider and abettor of the infringer once it gains knowledge of the underlying infringement and fails to act. This is why service providers such as the amici remove infringing material once they receive notice that they are linking to or hosting it.

When it comes to copyright infringement, the amici cannot hide behind the broad immunities of Section 230. They instead can only hope to qualify for the limitations on liability found in Section 512 of the DMCA. Of course, these safe harbors don’t protect the amici if they learn of infringing material on their systems and fail to remove it. Under Section 512(d)(1), a search engine such as Google or Yahoo does not get immunity unless it, “upon obtaining . . . knowledge or awareness” of infringing material, “acts expeditiously to remove, or disable access to, the material.”[3] The same holds true under Section 512(c)(1) for sites like Facebook, Tumblr, and Twitter that host content uploaded by their users.

When a service provider learns of infringing material on its system and fails to remove it, it becomes an aider and abettor that is jointly and severally liable with the direct infringer. But this is only true when that service provider’s contribution to the infringement is material. The DMCA codified exclusions to the safe harbors for contributions that were decidedly material, such as linking to or hosting infringing material. However, things get hazier at the margins. For example, a panel of the Ninth Circuit once split over whether a credit card processor materially contributes by servicing an infringing site. Over the vociferous dissent of Judge Alex Kozinski,[4] the two-judge majority held that it did not.

The problem for Google, Facebook, Tumblr, Twitter, and Yahoo is that there is no doubt that their failure to act once they receive notice of infringing material unquestionably constitutes aiding and abetting. Not only is it enough to find them in “active concert” with their users under Rule 65(d)(2), it’s enough to hold them contributorily liable for the infringement. They aren’t like a credit card processor, where the materiality of the contribution is in doubt. It’s well-settled that what the amici do—linking to and hosting copyrighted works—constitutes material contribution. That’s why the safe harbors under Section 512, which codified the case law, don’t apply to service providers such as them that fail to remove infringing material upon notice.

[1] I get that many people are just playing the SOPA card for rhetorical effect. But some are also arguing that SOPA would have provided rightholders with these remedies, and since SOPA is not the law, the studios therefore don’t have these remedies available. This argument is simply fallacious. With or without SOPA, the issue remains whether the court has the authority to grant the studios the requested relief.

[2] The amici do not address the existence of such authority under the Lanham Act or under the court’s inherent equitable power, and neither do I. They do argue that the All Writs Act provides no such authority, but I leave that argument aside.

[3] See also Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1172 (9th Cir. 2007) (“Accordingly, we hold that a computer system operator can be held contributorily liable if it has actual knowledge that specific infringing material is available using its system and can take simple measures to prevent further damage to copyrighted works yet continues to provide access to infringing works. . . . Applying our test, Google could be held contributorily liable if it had knowledge that infringing Perfect 10 images were available using its search engine, could take simple measures to prevent further damage to Perfect 10’s copyrighted works, and failed to take such steps.”) (quotations and citations omitted).

[4] See Perfect 10, Inc. v. Visa Int’l Serv. Ass’n, 494 F.3d 788, 816 (9th Cir. 2007) (Kozinski, J., dissenting) (“Defendants here are alleged to provide an essential service to infringers, a service that enables infringement on a massive scale. Defendants know about the infringements; they profit from them; they are intimately and causally involved in a vast number of infringing transactions that could not be consummated if they refused to process the payments; they have ready means to stop the infringements.”).

Categories
Copyright Injunctions Internet Remedies Trademarks Uncategorized

CloudFlare Enjoined From Aiding Infringers: Internet Unbroken

Just how far does a court’s power to enjoin reach into cyberspace? It’s clear enough that those directly posting or hosting infringing content are subject to an injunction. But what about a company such as CloudFlare that provides content delivery network and domain name server services? Does an injunction under Rule 65 against anyone acting in “active concert or participation” with an online infringer apply to an internet infrastructure company such as CloudFlare? CloudFlare recently argued that its service is “passive” and untouchable, but a district court vehemently—and rightly—disagreed.

The controversy started with the shutdown of the Grooveshark music streaming service pursuant to a settlement agreement with the major record label plaintiffs this past April. Back in September of 2014, Grooveshark and its two founders were found directly and indirectly liable for copyright infringement. After the district court held that their infringement was “willful,” thus subjecting them to potential statutory damages exceeding $736 million for the 4,907 works-in-suit, they consented to paying $50 million in damages and shutting down the grooveshark.com site rather than risk it with a jury.

But the demise of Grooveshark was short-lived, and just days after publicly apologizing for failing “to secure licenses from right holders,” two copycat sites popped up at different top-level domains: grooveshark.io and grooveshark.pw. The record label plaintiffs filed a new complaint and obtained ex parte relief, including a temporary restraining order (TRO), against the new sites. Upon receipt of the TRO, Namecheap, the registrar for both sites, disabled the .io and .pw domain names. When another copycat site was established at grooveshark.vc, the domain name was quickly disabled by Dynadot, the registrar, after it received the TRO.

Undeterred, the defendants publicly taunted the plaintiffs and registered yet another copycat site at grooveshark.li. Rather than continuing this global game of domain name Whac-A-Mole, the plaintiffs served the TRO on CloudFlare, the service utilized by the defendants for each of the infringing domains. And this is where things got interesting. Rather than swiftly complying with the TRO, as the domain name registrars had done, CloudFlare lawyered up and contended that it was beyond the court’s reach.

In its briefing to the court, CloudFlare argued that it played merely a passive role for its customers—including the defendants and their copycat site—by resolving their domain names and making their websites faster and more secure. CloudFlare disavowed the ability to control any content on the copycat site, and it denied that it was in active concert or participation with the defendants:

Active concert requires action, and CloudFlare has taken none. Participation means assisting a defendant in evading an injunction. CloudFlare has not so assisted defendants and, in fact, has no ability to stop the alleged infringement. Even if CloudFlare—and every company in the world that provides similar services—took proactive steps to identify and block the Defendants, the website would remain up and running at its current domain name.

CloudFlare did not deny that the defendants utilized its services; it instead argued that the TRO would not remove the infringing site from the internet. Thus, CloudFlare’s position hinged on its own passivity and on the futility of enjoining it from providing services to the defendants.

A moment’s reflection reveals the superficiality of this position. The fact that CloudFlare had no control over the content of the copycat site was not dispositive. The question was whether CloudFlare aided the defendants, and there was no doubt that it did. It was not only the defendants’ authoritative domain name server, it also optimized and secured their copycat site. That the defendants could have used other services did not erase the fact that they were using CloudFlare’s services. And once CloudFlare was served with the TRO and made aware of the copycat site, its continued provision of services to the defendants constituted active concert or participation.

CloudFlare’s policy arguments were similarly unpersuasive. It suggested that the TRO “would transform a dispute between specific parties into a mandate to third parties to enforce” the plaintiffs’ rights “against the world in perpetuity.” Of course, that is not what happened here. The question was not who else in the world the TRO reached; the question was whether the TRO reached CloudFlare because it aided the defendants.

CloudFlare further argued that it could not be enjoined because “Congress explicitly considered and rejected granting such authority to the courts with respect to Internet infrastructure providers and other intermediaries for the purpose of making a website disappear from the Internet.” To enjoin it, CloudFlare proposed, would be to pretend that the Stop Online Piracy Act (SOPA) “had in fact become law.” This argument, however, completely ignored the fact that courts have long been empowered to enjoin those in active concert or participation with infringers.

In reply, the record label plaintiffs rebuffed CloudFlare’s claim that it was not aiding the defendants: “CloudFlare’s steadfast refusal to discontinue providing its services to Defendants – who even CloudFlare acknowledges are openly in contempt of this Court’s TRO – is nothing short of breathtaking.” They pointed to how CloudFlare continued to aid the defendants, even after being on notice of the TRO: “[T]he failure of an Internet service provider to stop connecting users to an enjoined website, once on notice of the injunction, readily can constitute aiding and abetting for purposes of Rule 65.”

In the real world, CloudFlare markets the benefits of its services to its customers. It touts its content delivery network as delivering “the fastest page load times and best performance” through its “34 data centers around the world.” It boasts having “web content optimization features that take performance to the next level.” It offers robust “security protection” and “visitor analytics” to its customers. And its authoritative domain name server proudly serves “43 billion DNS queries per day.” But when it came to the defendants’ copycat site, it claimed to be a “passive conduit” that in no way helped them accomplish their illicit goals. This disingenuousness is, to borrow the plaintiffs’ term, “breathtaking.”

District Judge Alison J. Nathan (S.D.N.Y.) made short work in rejecting CloudFlare’s shallow denials. She noted that there was no factual question that CloudFlare operated the defendants’ authoritative domain name server and optimized the performance and security of their copycat site. The question was whether these acts were passive such that CloudFlare was not in “active concert or participation” with the defendants. Judge Nathan held that the services CloudFlare provided to the defendants were anything but passive:

CloudFlare’s authoritative domain name server translates grooveshark.li as entered in a search browser into the correct IP address associated with that site, thus allowing the user to connect to the site. Connecting internet users to grooveshark.li in this manner benefits Defendants and quite fundamentally assists them in violating the injunction because, without it, users would not be able to connect to Defendants’ site unless they knew the specific IP address for the site. Beyond the authoritative domain name server, CloudFlare also provides additional services that it describes as improving the performance of the grooveshark.li site.

Furthermore, Judge Nathan dismissed CloudFlare’s argument that it was not helping the defendants since they could simply use other services: “[J]ust because another third party could aid and abet the Defendants in violating the injunction does not mean that CloudFlare is not doing so.” And to CloudFlare’s concern that the TRO was overly broad, Judge Nathan reasoned that the issue before her was CloudFlare’s own actions, not those of other, possibly more attenuated, third parties: “[T]he Court is addressing the facts before it, which involve a service that is directly engaged in facilitating access to Defendants’ sites with knowledge of the specific infringing names of those sites.”

This TRO wasn’t about the “world at large,” and it wasn’t about turning the companies that provide internet infrastructure into the “trademark and copyright police.” It was about CloudFlare knowingly helping the enjoined defendants to continue violating the plaintiffs’ intellectual property rights. Thankfully, Judge Nathan was able to see past CloudFlare’s empty and hyperbolic position. Protecting intellectual property in the digital age is difficult enough, but it’s even more challenging when services such as CloudFlare shirk their responsibilities. In the end, reason trumped rhetoric, and, best of all, the internet remains unbroken. In fact, it’s now even better than before.

Further reading: Leo Lichtman, Copyright Alliance, Bringing Accountability to the Internet: Web Services Aiding and Abetting Rogue Sites Must Comply With Injunctions