Content warning: this post contains references to online stalking, doxxing, harassment, and deadnaming.
I have a lot of opinions about copyright and the DMCA, but a vanishingly small proportion of those opinions are particularly unique or notable. There are plenty of people who are far better qualified than I to opine about the state of copyright law at a structural level, and I will not presume that I could write anything on the matter that would be contributory.
I do, however, have direct experience with one aspect of the DMCA: the abuse of takedown processes by malicious actors looking to obtain the personal details of victims.
This problem can be split into two halves: the legal requirements of the DMCA itself, and the real-world procedures and policies implemented by organisations who have to comply with the DMCA. These are, of course, interwoven, but it is important to clarify that the actual real-world effects of the DMCA are not just a product of the legal text alone.
Here’s a rough overview of the DMCA takedown process in the context of media uploaded to a third party service provider:
- A claimant sends a takedown notice to the service provider including details of the infringing material, the material being infringed upon, the name, address, and contact details of the claimant / rights holder, and a signature certifying that the details provided are truthful and correct under penalty of perjury.
- The service provider hosting the allegedly infringing content reviews the takedown notice for validity. If the takedown notice is deemed invalid, they may choose not to enforce the notice, and will typically inform the claimant that their notice was deemed invalid. If the takedown notice is deemed valid, then they must comply with it.
- If the takedown notice is deemed valid, the service provider must remove the allegedly infringing content and forward the takedown notice to the uploader. Some service providers will redact the postal address and telephone number of the claimant in the forwarded notice, for privacy reasons.
- If the uploader, in good faith, does not believe that the content infringes upon the claimant’s rights, the uploader must respond with a counter notice. This counter notice must contain the name, address, and contact details of the person making the counter notice, along with a signature certifying that the details provided are truthful and correct under penalty of perjury.
- The service provider reviews the counter notice for validity. If the counter notice is invalid (e.g. missing required details) then they must reject it. If the counter notice is valid, they forward it to the original claimant. However, unlike with a takedown notice, service providers rarely redact the personal details provided in a counter claim, meaning that all details are sent to the claimant.
- The claimant then has 10-14 days to initiate a lawsuit against the uploader, and provide evidence of those legal proceedings to the service provider. If they fail to do this, the takedown notice is invalidated and the service provider is free to reinstate the content.
There are far too many problems and pitfalls with this process to cover them all here. I’m only going to focus on one specific problem: a malicious actor (e.g. a stalker or harasser) can abuse this process to extort personal details from a victim.
The approach is as follows:
The malicious actor sends a fraudulent takedown notice to the service provider, typically impersonating a third party who might reasonably hold rights to the content in question. For example, if the video contains footage of a game, the malicious actor might impersonate the game studio or publisher, or a legal professional representing one of those organisations.
In a reasonable world, the content provider would see that the takedown notice did not come through an official channel (e.g. from an email address on the organisation’s official domain) and recognise it as fraudulent and invalid. However, if the content provider fails to comply with a takedown notice that is later deemed to be valid, they themselves are open to legal repurcussions (i.e. lawsuits). This situation is reasonably manageable if the takedown notices are being reviewed by legal professionals employed by the service provider, but this becomes infeasible for service providers that operate at scale (e.g. YouTube), so the people reviewing takedown notices typically end up being low paid office workers operating in a similar fashion to content safety review teams, with minimal training. Companies are risk-averse, so the workers are generally trained to accept any takedown notice unless it is missing significant details that are required by law. As with many business functions that are considered cost centres rather than moneymakers, workers are budgeted so little time per case that it is deemed infeasible to do something as simple as cross-reference the source email address with prior legitimate takedown requests from the same organisation. As such, even an overtly malicious actor sending a takedown notice from an unofficial email address such as nintendolawyers@yahoo.net is still very likely to be successful.
If (when) the service provider deems the takedown notice to be valid, they must take down the allegedly infringing content and forward the notice to the uploader, who is the victim in this context. It is important to note here that optional grace periods, where the claimant grants the uploader some period of time (e.g. 7 days) to remove the content of their own volition, are not codified in law. Service providers often implement their own punitive measures (e.g. copyright strikes) which trigger sanctions or account bans as a result of repeated copyright violations. If a claimant does not believe that such sanctions are warranted or necessary, for example if it is clear that the uploader thought they were operating under fair use protections, then they may choose to issue a delayed takedown and offer the uploader a chance to avoid punishment by taking the video down ahead of the forced removal date. Of course, a malicious claimant intending to extort a vicitm would not opt into this delay.
At this point the victim is notified (typically via email) that their content was taken down due to a DMCA takedown notice. The contents of the notice are included verbatim, although the address and phone number may be redacted. If the service provider is a small-enough company, the victim might be able to get in touch with the right people and convince them that the notice is fraudulent. However, in the majority of cases, the service provider is impenetrably faceless, as is the case with YouTube, Facebook, Etsy, and Twitch. The provider typically offers only an automated procedure that must be followed, and that procedure is designed around the counter notice process described by the DMCA.
The DMCA requires the uploader (the victim) to file a counter notice to refute the original takedown notice, in order to restore the content. This notice must include the victim’s legal name and a postal address, and the service provider will typically attach the email address associated with the victim’s account. If the victim files a counter notice, these details are sent directly to the claimant. In addition, since the victim is acting legitimately and relies upon a good relationship with the service provider, whereas the malicious actor is acting illegitimately and does not care about the service provider, there is a disparity of consequences if the victim responds to the counter notice with falsified personal details. In such a case, both the malicious actor and the victim are breaking the law, but the service provider can only punish the victim for it.
In addition, since the counter notice requires that the victim’s legal name be included, this is likely to have additional deleterious effects on transgender and nonbinary folks who have yet to, or otherwise cannot, update their legal name to their chosen name.
YouTube’s policies are a good example of the disparity involved. Their help page on the use of contact information when making copyright claims says the following:
Your full legal name is required to complete a copyright removal request. It may be shared with the uploader of the video removed for copyright infringement.
Contact information in copyright removal requests – YouTube Help (accessed 2023-08-16)
The primary email address from your removal request may be shared with the uploader of the video removed for copyright infringement. The uploader might get in touch with you to resolve their associated copyright strike.
Your physical address and phone number will remain confidential unless requested as part of a lawsuit. If YouTube is required to share any information, we’ll notify you before doing so.
When issuing a counter claim, however, you are offered far less protection:
Do not submit false information. Misuse of our processes, such as submitting fraudulent documentation, may result in the termination of your account or other legal consequences.
Submit a copyright counter notification – YouTube Help (accessed 2023-08-16)
[…]
Counter notifications should be submitted by the original uploader of the content at issue. The original uploader must consent to sharing the information in the counter notification with the claimant. If disclosing personal information is a concern, an authorised representative (such as a lawyer) can submit on the uploader’s behalf by email, fax or post.
The protection afforded to the claimant is, of course, largely immaterial in the context of a malicious takedown notice, since their details are falsified anyway and threatening them with an account ban is utterly meaningless. However, it does paint a stark contrast between the claim and counter-claim processes and policies. As for why this disparity in information transparency exists, I suspect it is rooted in the legal process defined by the text of the DMCA, but I am not a lawyer so I will not speculate further.
Victims who rely upon these service providers for income can have their livelihoods held hostage in this manner. However, I think it is also important to recognise that this situation just plain sucks regardless of whether money is involved. If you made something cool and shared it with the world, having someone come and take that away feels really bad, especially when the only recourse presented to you might lead to further harm.
There is no one single problem here. The DMCA itself is designed for a world where takedown notices are reviewed and handled by legal professionals, and, in my opinion, is more concerned with protecting corporate profits than protecting people from abusers and trolls. Service providers’ procedures and policies exacerbate the problem through legal risk aversion and strong financial incentives to minimise the level of scruitiny involved with compliance, leading to overzealous enforcement and a lack of accountability or recourse.
I am woefuly underqualified to suggest how this might be improved at a legal level, let alone how to achieve such improvements in a political climate all but characterised by perverse incentives. But, rather than leave you empty handed, I will offer some limited advice. Not legal advice, of course, because I am not a lawyer and will never be your lawyer, but some advice based on my own exposure to abuse of the DMCA for stalking and harassment.
First: your personal situation is unique. Be wary of anyone – myself included – offering authoritative advice on what to do. There are too many unknowns to offer any kind of panacea. Malicious intent comes in many forms, and the types of harm that can be caused are significantly dependent on personal and situational factors. For example, I don’t have the lived experience of a trans person, so I am not in a position to offer nuanced advice that is fully considerate of the challenges faced by a trans victim of stalking, even with the best intent in the world. If you’ve got a trusted support network of people like yourself, their advice and compassion may be invaluable.
Second: be cautious of advice solicited on social media and in other public circles. If someone is tying to stalk or doxx you, they’ll likely see it, and may even respond with bad advice on purpose. People are also more likely to suggest drastic or implausible things when they don’t have to face the consequences of those actions. The social dynamics involved here have been talked to death, so I won’t dig any deeper here, especially because I know I’m preaching to the choir for the vast majority of people who might find themselves affected by the subject of this blog post. I’m also neither a psychologist or an expert in stalking and harassment, so I’ll stay in my lane.
Third: wherever possible, try to reach out to the service provider and the organisation being impersonated (where relevant) through back channels. Customer services, if you can even reach them, are almost always useless and will just sap your time and energy. I happen to work in security and have a few friends and acquaintances who work at big organisations like Microsoft and Google, along with a social media following that skews quite heavily into tech, so I have had some success with getting the right message to the right people, often indirectly. In one case I got in touch with a friend in Microsoft’s .NET security team, who was able to poke someone in Microsoft’s legal team, who in turn found a manager in the “brand protection” team, who had a contact at YouTube, resulting in a victim’s video being restored after it was taken down via a fraudulent takedown notice purporting to be from Microsoft. In lieu of any kind of reasonable or sustainable abuse management process, this type of convoluted back-channel communication is often your best recourse. This is, of course, frustratingly dependent on the universe’s random number generator. Obviously, most people don’t just happen to have a helpful friend who works at the the service provider or the company being maliciously impersonated. But there are countless people on the internet who might happen to have a useful contact, so it pays to ask around. A bit of kindness from a stranger can often bridge those six degrees of separation. Do be mindful of point two, above, though.
Fourth, and finally: if you find yourself having no choice but to issue a counter notice, there are some things you can do to minimise your exposure. You should search for the content provider’s policies and help pages relating to DMCA counter notices to identify what information will be shared if you choose to issue a counter notice, and look to see if there are alternative notice submission methods offered (e.g. email, fax, mail). However, do not assume that the person who handles your submission via the alternative method will properly comprehend what you send them, or act in your best interest. If a human is involved, it is best to presume that the person handling your case will be a poorly paid overworked agency intern at an outsourced office in a country where your language is not their first language. You can, at least, protect your address by signing up for a PO box. Some companies offer a free PO box where you pay per forwarded letter; I have previously used UK Postbox for this purpose. This is not entirely risk-free, as cheap postbox services are just as vulnerable to social engineering as any other organisation, but it does offer an extra layer of indirection. I have also found that you can simply enter “N/A” when a phone number is requested in a DMCA counter notice, as long as all other details are filled out. If your chosen name is not the same as your legal name, you might get away with using your chosen name instead, but this is a risk calculation that you must make yourself. How ordinary (for lack of a better word) your chosen name is will likely be a big factor in whether or not someone will start asking more questions – they’re much more likely to ask Stardust Moonwater for proof of ID than Alan Dowd.
That’s all I really have to say. I made this post because I happened to be able to help a few people who went through this, and I’m hoping that it’ll offer some useful advice and information should you ever find yourself or a friend in the unfortunate situation of being on the receiving end of a malicious DMCA takedown notice. I have no expectation that this blog post will kickstart a revolution in copyright law and inspire organisations to swallow a little risk and cost in the name of victim advocacy, nor am I qualified to direct such a revolution, so I would prefer it if folks didn’t turn my mentions into a serpentine thread of impotent rage in a vain attempt to resolve these global structural issues via the medium of Mastodon. I am not a defeatist on this matter – far from it – but our energy is better spent where it is useful.
Thanks for reading, and stay safe out there.
codeinsecurity 