Written by Nathan Lovejoy
Edited by Harry Zhou
Editorial Policy
The September 30th issue of Rolling Stone featured an article provocatively titled “How to Save the Music Business” by U2 manager Paul McGuinness. In it, McGuinness shifts a hefty portion of responsibility for online copyright infringement to Internet service providers: “Let’s get real: Do people want more bandwidth to speed up their e-mails or to download music and films as rapidly as possible?”[i] He goes on to argue that service providers should take affirmative steps on behalf of rights holders to prevent illegal file sharing by their customers. This is not a new line of attack, especially in the two years since the Recording Industry Association of America’s (“RIAA”) efforts at suing individual file-sharers have come to an end. McGuinness might have, however, underestimated some of the pitfalls in implementing such a proposal. As rights holders, service providers, and governments in France, the United Kingdom, Ireland, and elsewhere begin to embark on various forms of this “graduated response” — an enforcement regime predicated on suspension of accused infringers’ Internet access — we are only now beginning to understand the full range of its complications.
This comment will address procedural due process concerns within a hypothetical legislative-backed graduated response regime in the United States. Although no such system is currently in place, this comment will look to the recently implemented French scheme as a model. Commonly referred to by the acronym of its governing authority — Haute Autorité pour la Diffusion des Œuvres et la Protection des Droits sur Internet (“HADOPI”) — France’s HADOPI overcame constitutional challenges and began enforcement action earlier this year. If we were to import this type of scheme to the US with the exact same set of procedures, it would run against some of our core procedural values.
This comment begins with a description of what graduated response is in the abstract and addresses some of the motivations for rights holders in pursuing this strategy. Next, the HADOPI model as laid out in France’s “Creation on the Internet” legislation[ii] is examined step-by-step, as a series of distinct enforcement procedures. Finally, this comment will argue that should the US adopt a legislatively-created, French-style graduated response regime, its procedures may be subject to criticism on due process grounds. These issues could be — and likely will be — sidestepped, however, through eschewing legislation in favor of private enforcement agreements.
What Is Graduated Response and What Will It Replace?
“Graduated response” refers to a system of online copyright enforcement that is an alternative to exclusively seeking judicial remedies against individual infringers. The linchpin is a cooperative relationship between rights holders and service providers through which one can notify the other of potential infringement by their subscribers and take increasingly severe punitive measures in response.[iii] The scope of these measures could range from e-mail notices to a complete suspension of Internet access.[iv] Section 512(i) of the Digital Millennium Copyright Act seems to potentially support a graduated response regime by requiring service providers to terminate the access of repeat infringers, but no procedures are specified and no definition for “repeat infringers” exists in the statutory language.[v] As a result of this lack of clarity, courts have been left with the task of interpretation and no clear affirmative duty has been found for service providers.[vi]
Following the RIAA’s announcement in 2008 that it would no longer pursue new lawsuits against individuals, a graduated response scheme was seen by some as a positive replacement that could both broaden enforcement and reduce the financial burden on individuals subject to the lawsuits. In the preceding years, the RIAA’s enforcement efforts generally followed these steps: First, an investigator (e.g. MediaSentry) uses various means to detect and record potential infringement over peer-to-peer networks on behalf of rights holders. In the case of programs like the late LimeWire, this process would usually involve the investigator connecting to the network and searching for infringing materials, identifying users sharing their clients’ works, downloading a few files to validate their content, taking screen shots, and recording one user’s IP address. Armed with this information, the RIAA would then subpoena the service provider of the user to connect her IP address to her identity. From here, the RIAA usually sent a “pre-lawsuit” notice to the user, one that would offer to not sue in exchange for three to five thousand dollars. Although most accused infringers wisely avoided the staggering costs of defending themselves in federal court, the few who have taken that leap have faced large statutory penalties.
In effect, this regime created an uneven terrain of enforcement. Most infringers avoided detection, a significant number of infringers paid the “pre-settlement” amounts, and a handful of infringers have been subjected to the crippling statutory penalties. It is understandable, from the perspective of a risk-adverse Internet user, why a more balanced enforcement regime — imposing smaller costs on more people — might be attractive compared to losing the enforcement lottery. From the RIAA perspective, a graduated response scheme offers the attractive possibility of broadening enforcement, reducing public scorn that results from unbalanced judgments, and lowering administrative costs by sharing them with service providers. Nonetheless, graduated response schemes are far from a panacea.
HADOPI Procedures
As places like the United Kingdom and France embark on the implementation process of graduated response regimes, issues surrounding accuracy, privacy, and human rights havesurfaced. France’s HADOPI, as the most prominent example of the legislative-backed graduated response schemes, is particularly instructive. Before addressing the concerns, however, it is necessary to understand the basic steps in the enforcement procedures.
(1) Detection: Representatives of rights holders in France — La Société Civile des Producteurs Phonographiques (“SCPP”) and l'Association de Lutte contre la Piraterie Audiovisuelle (“ALPA”) — have selected the detection company Trident Media Guard (“TMG”) to detect potential infringement over peer-to-peer networks. TMG collects IP addresses of potential infringers, presumably in a similar manner as described above, and reports them to the HADOPI High Authority. It has been estimated that around 150,000 IP addresses are reported every day.
(2) Review: Next the High Authority has the option to review the allegations and consult with rights holders and other concerned parties, thus acting in a fact-finding capacity.[vii] It is unclear what standards they require for proof of actual infringement at this stage.
(3) Report to service providers: The High Authority then sends the IP addresses to the relevant service providers for identification, and it requires the service providers to send the first notice to the subscriber.[viii]
(4) The first notice: The service providers send e-mails to the accused subscribers informing them that they have engaged in activities believed to constitute copyright infringement.[ix] The notice also describes the potential penalties if their actions continue.[x] There is no requirement to notify the subscriber as to either the identity of the accuser or the content of the work allegedly infringed.[xi] The detail of the allegations that the service provider must communicate in this first notice is not well defined in the legislation itself.[xii]
(5) Request for more information: An accused user may request more information from the HADOPI governing authority, but there is no explicit requirement for it to disclose more than the first notice does. The accused user may also request a hearing and has the right to counsel and to prepare a defense.[xiii]
(6) Second notice: Over the subsequent six months, if a user’s IP address is reported a second time, she will receive another notice via certified mail.[xiv] As with the first notice, the accused will have the ability to request a hearing and the level of detail required of the notice remains the same.
(7) Third infringement: If, within one year after the second notice, a user’s IP address once again appears among those reported to the HADOPI authority, the user will be subject to a non-adversarial, expedited judicial procedure[xv] (l'ordonnance pénale) — typically used for minor traffic violations — in which a judge decides the case with minimal participation of the parties to determine guilt and apply penalties.
(8) Applying the penalties: The judicial determination of the penalty will be based on five criteria: (1) The circumstances of the offense; (2) the severity of the offense; (3) the history of the offender; (4) whether the offense was for personal or commercial purposes; and (5) the offender’s socioeconomic position.[xvi] Penalties can range from suspension of Internet access for up to one year to a fine, or even imprisonment.[xvii] The offender is also barred from entering into a new service contract with another ISP, for the duration of any suspension, yet she will remain liable for payment for her suspended service.[xviii]
(9) Appeal: Under the expedited procedure, the alleged infringer is able to appeal the judge’s decision.
In the original construction of HADOPI, the French Constitutional Council pointed out two main concerns that arose from the lack of judicial oversight: first, that suspension of home Internet access by an administrative agency was a violation of an individual’s freedom of expression protected under the French constitution[xix]; and second, that the proposed procedures, as they stood, did not sufficiently assume a defendant’s innocence.[xx] HADOPI legislation that was ultimately enacted (and which is described in this comment) took steps to address these concerns by moving the adjudication of infringement and application of penalties from a “Council of Rights” under the HADOPI authority to an expedited judicial procedure.[xxi]
HADOPI has been in place for several months now and the first stages of notification have already begun. Although the concerns of the French Constitutional Council have been addressed, would a HADOPI-like scheme survive due process scrutiny in the US? First, we would have to imagine what an American HADOPI might look like.
Legislative-Backed Graduated Response in the US
It is not difficult to extend the French model to a hypothetical American implementation: Congress passes their own version of the “Creation and Internet” law and forms an agency to oversee and enforce the same baseline set of procedures that have developed in France. The basic elements of the French implementation — the tiered system of notice, the expedited judicial proceedings, and the public/private collaboration — are not entirely unfamiliar in the US. In fact, the RIAA has requested active agency encouragement of graduated response, though it has stopped short of proposing full-blown legislation: “We thus urge the [FCC] to adopt rules that not only allow ISPs to address online theft, but actively encourage their efforts to do so.”[xxii] The MPAA similarly does not request explicit legislative action, but refers admiringly to efforts like HADOPI in other countries:
MPAA believes that these international efforts should underscore, for the [FCC] and Congress, that restricting technological solutions and anti-theft policies not only would be profoundly harmful to American content creators, but also would increasingly leave the United States as an outlier among nations on a subject — enforcing the rule of law — on which the United States should be a leader.[xxiii]
If Congress were to adopt a French-model state-backed graduated response scheme, however, there would likely be a number of procedural due process objections.
Three factors are necessary for a procedural due process claim: First, there must be a protected individual interest in liberty or property at stake.[xxiv] Second, the procedure by which this interest was deprived must insufficient.[xxv] Third, there must be identifiable state action.[xxvi] Under the first and third factors, the HADOPI-model might qualify for a prima facie review. An individual’s interest in her Internet connection could reasonably be considered a significant liberty or property interest, since it is a critical tool for expression, every-day transactions, and commerce.[xxvii] At the very least, it is a liberty interest as the primary tool for constitutionally protected anonymous speech.[xxviii] A Congressionally-created agency enforcing an Internet access suspension would be a clear case of state action: the deprivation is “caused by the exercise of some right or privilege created by the State” and the actor is a state official.[xxix] Putting aside the extent to which an Internet connection constitutes a protected property or liberty interest for another comment, the nebulous issue at hand is whether the procedure provided in the HADOPI-model violates the accused user’s right to sufficient due process protections under the three factors set forth in Matthews v. Eldridge: (1) if the private interest affected is significant and (2) the risk of error in the existing proceedings is high compared with protections afforded by additional procedure, after (3) the government’s interest in implementing additional procedure is counter-balanced, then additional procedure is required.[xxx]
(1) The nature of the private interest: As previously mentioned, an individual’s private interest in her Internet connection is quite significant indeed. This point was explicitly raised by the French Constitutional Council: “In the current state of media and given the widespread development of Internet communication services as well as the importance of these services for participation in democratic life and for the expression of ideas and opinions, [the right of free expression] includes freedom to access these services.”[xxxi] It is also at least equally, if not more, revered in the US. Even the MPAA grudgingly accepted the importance of an individual’s interest in her Internet connection in its call for FCC action to encourage graduated response: “[it is] national policy that the Internet serve[s] as the center of modern society — a digital intersection of Main Street, a town square and a mega-shopping and entertainment complex all-rolled-into-one.”[xxxii] As shown in the MPAA’s statement, the private interest at stake here is no less great than an individual’s right and ability to participate in modern society.
(2) The risk of error: The risk for error in our posited American HADOPI begins at the initial gathering of evidence of infringement. Service providers’ flaws as investigators are apparent in their roles under the DMCA notice and take-down system.[xxxiii] Since similar identification processes are likely to be used under a graduated response scheme, service providers will likely be equally incompetent. To entrust service providers as primary identifiers of infringing users seems to ignore our experience over the past decade with them in this role. Furthermore, allowing private investigators like TMG to play such a significant role in gathering evidence is troubling when it comes to a risk of erroneous assessment. TMG’s counterparts in the US, like MediaSentry, have a spotty record for accurately identifying actual infringers, on one occasion identifying as an infringer a deceased woman who never owned a computer.[xxxiv]
Once the evidence of infringement is gathered, the risk continues within the various levels of hearing and notice. First, there is no requirement to identify the content of the infringed work or the party making the allegations in either the e-mail or the certified letter. Second, the standards regarding proof of infringement are so ill-defined as to effectively put the burden on the accused party to prove her innocence.[xxxv] This is a troublingly low standard for notice when weighed against the potential gravity of the penalties. HADOPI procedures suggest that the only way to receive significant information about the allegations is to request a hearing. At minimum, it would seem prudent to set standards for notice that rise above the nebulous stipulations set by HADOPI.
Additionally, reliance on non-adversarial, expedited proceedings at the penalties phase combined with minimal notice to the defendant creates an imbalance in favor of sophisticated parties like the RIAA and MPAA. Even the entirely blameless subscriber would find this imbalance difficult to overcome, significantly raising the risk of an erroneous decision.
(3) Government interest: Finally, in assessing the government interest in implementing additional procedural safeguards to a graduated response scheme, we turn first to the statements of rights holders. The RIAA claims that industries dependent on copyright protection:
such as sound recording, music publishing, filmmaking, and computer and gaming software directly account for, by some estimates, over 6% of GDP, over 22% of real economic growth, and the employment of over 5.5 million Americans (or more than 4% of the nation’s workforce) as of 2007.[xxxvi]
If one were to assume that Internet piracy significantly affects the combined productive capabilities of these industries, then surely this is a critical area for the government to protect. When the government’s interest in enforcement is high, its interest in implementing additional procedure will be viewed as a balance between effectiveness and cost. In the pursuit of keeping administrative costs low, the expedited judicial proceedings and partially privatized detection are positive factors, as well as achieving effective enforcement through over-inclusive, loosely regulated standards. One might imagine, however, that handling fewer erroneous claims of infringement would also serve this end. Imposing stricter standards on the private enforcement entities at the detection and notice phases could lead to a crucial reduction of error while keeping the additional administrative costs within the private sector. This suggests that, at the very least, there is a government interest in creating additional procedural safeguards at the early stages of the private enforcement.
Given the high level of importance that Internet access represents in contemporary society, the high risk of error involved in a French-style graduated response, and the government interest in avoiding the costs associated with an influx of meritless claims, the HADOPI-style regime would be vulnerable to due process challenges in the US.
What We Are More Likely to See and Other Issues
Despite the MPAA and RIAA’s calls for Congressional attention to the issue, the US is unlikely to see the imposition of a legislative-backed graduated response scheme like HADOPI any time soon. If graduated response finds its way across the Atlantic, it will probably come about through fully private agreements between the big rights holders and the individual Internet service providers.[xxxvii] While this forfeits some of the advantages of HADOPI — such as being able to prevent individuals from regaining Internet access by switching services if they are blocked for infringement — it also dodges the procedural due process vulnerabilities by removing the element of state action.
This doesn’t mean, however, that an American graduated response scheme would be entirely immune to attack from critics. Much of this would be context-dependent, but information privacy, freedom of expression, and anti-competitive behavior all would be likely grounds for debate. Ultimately, however, the determining factor for graduated response schemes in the US and elsewhere in the world will be their effectiveness. Already there are suggestions that HADOPI will not be as effective as intended, with one study showing that although it has deterred 15% of Internet users from using peer-to-peer services, two-thirds of those have simply found alternative means of acquiring pirated content.[xxxviii]
Paul McGuinness may well see his dream of sticking the bill for online copyright infringement to ISPs and their subscribers become a reality in the US, as it has in France and elsewhere. Nonetheless, to suggest that graduated response represents a comprehensive or just solution to the record industry’s woes is premature. As quickly as online infringement seemed to appear just over a decade ago, it will take more time, and a great deal more innovation, both technological and legislative, to save the (recorded) music business.
[i] Paul McGuinness, How to Save the Music Business, Rolling Stone, Sept. 30, 2010, at 43, 44.
[ii] Loi 2009-669 du 12 juin 2009 favorisant la diffusion et la protection de la création sur internet [Law 2009-669 of June 12, 2009 on Promoting the Distribution and Protection of Creation on the Internet], Journal Officiel de la République Française [J.O.] [Official Journal of France], June 13, 2009, p. 9666, available at http://www.assemblee nationale.fr/13/ta/ta0337.asp.
[iii] Annemarie Bridy, Graduated Response and the Turn to Private Ordering in Online Copyright Enforcement, 89 Or. L. Rev. 81, 84-85 (2010) (citing Business Software Alliance, Position on Appropriate Measures to Deter Online Piracy of Content).
[iv]Id. at 85.
[v] 17 U.S.C. § 512(i)(1)(A); Ellison v. Robertson, 357 F.3d 1072, 1080 (9th Cir. 2004).
[vi]Private Ordering, 91-92.
[vii] Loi 2009-669 du 12 juin 2009, supra note 2, art. 1.
[viii]Id. at art. 5.
[ix]Id.[x]Id.[xi] Alain Strowel, Internet Piracy as a Wake-up Call for Copyright Law Makers — Is the “Graduated Response” a Good Reply?, 1 W.I.P.O.J. 75, 80 (2009).
[xii] Loi 2009-669 du 12 juin 2009, supra note 2.
[xiii]Id. at art. 1.
[xiv]Id. at art. 8.
[xv] Strowel, supra note 11, at 80.
[xvi] Loi 2009-669 du 12 juin 2009, supra note 2, at art. 9 (“la juridiction prend en compte les circonstances et la gravité de l'infraction ainsi que la personnalité de son auteur, et notamment l'activité professionnelle ou sociale de celui-ci, ainsi que sa situation socio-économique. La durée de la peine prononcée doit concilier la protection des droits de la propriété intellectuelle et le respect du droit de s'exprimer et de communiquer librement, notamment depuis son domicile.”).
[xvii]Id. at art. 7.
[xviii] Loi 2009-669 du 12 juin 2009, supra note 2, at art. 7.
[xix] FR Const. Title I, art 4.
[xx] Strowel, supra note 11, at 81 and citations.[xxi]Id.
[xxii] Comments of the Recording Industry Association of America, GN Docket No. 09-191, WC Docket No. 07-52 (Jan. 14, 2010).
[xxiii] Reply Comments of the Motion Picture Associate of America, GN Docket No. 09-51, at [pincite] (Oct. 30, 2009).
[xxiv] Board of Regents of State Colleges v. Roth, 408 U.S. 564, 571–72 (1972) (“...the property interests protected by procedural due process extend well beyond actual ownership of real estate, chattels, or money. By the same token, the Court has required due process protection for deprivations of liberty beyond the sort of formal constraints imposed by the criminal process.”)
[xxv]Id.[xxvi]See Davis v. Prudential Securities, Inc., 59 F.3d 1186, 1190 (11th Cir. 1985).
[xxvii]See Strowel, supra note 11, at 81; Reply Comments of MPAA, supra note 24, at 2.
[xxviii] Lassa v. Rongstad, 718 N.W.2d 673 (2006) (courts may refuse to order the disclosure of the identity of an anonymous internet poster based on the constitutional right to anonymous free speech).
[xxix] Lugar v. Edmondson Oil Co., 456 U.S. 829, 937 (1982).
[xxx] Matthews v. Eldridge, 424 U.S. 319, 335 (1976).
[xxxi] Decision No.2009-580 DC of June 10, 2009, available at http://www.conseil-constitutionnel.fr (“qu'en l'état actuel des moyens de communication et eu égard au développement généralisé des services de communication au public en ligne ainsi qu'à l'importance prise par ces services pour la participation à la vie démocratique et l'expression des idées et des opinions, ce droit implique la liberté d'accéder à ces services”).
[xxxii] Reply Comments of MPAA, supra note 24, at 2.
[xxxiii] Wendy Seltzer, Free Speech Unmoored in Copyright’s Safe Harbor: Chilling Effects of the DMCA on the First Amendment, Berkman Center Res. Pub., No. 2010-3, at 33-39 (explaining the high risk of error under DMCA enforcement).
[xxxiv] Nate Mook, RIAA Sues Deceased Grandmother, BetaNews (Feb. 4, 2005, 10:50 AM), http://www.betanews.com/article/RIAA-Sues-Deceased-Grandmother/1107532260 (“Because online identities are mostly anonymous, industry police utilize IP addresses to track the specific Internet account sharing music. Unfortunately, the process is riddled with inaccuracies and sometimes innocent -- or deceased -- people are fingered as pirates.”).
[xxxv] Loi 2009-669 du 12 juin 2009, supra note 2.
[xxxvi] Comments of RIAA, supra note 24.
[xxxvii] If it hasn’t already. See Ernesto, Cox Disconnects Alleged Pirates from the Internet, TorrentFreak (Sept. 30, 2008), http://torrentfreak.com/cox-disconnects-alleged-pirates-from-the-internet-080930.
[xxxviii] Sylvain Dejean, Thierry Pénard et Raphaël Suire, Une première évaluation des effets de la loi Hadopi sur les pratiques des Internautes français, M@rsouin, CREM et Université de Rennes (Mar. 1, 2010).