Megaupload’s DMCA Shell Games


Megaupload LogoOn January 19, was seized by the U.S. Federal government in an action that involved authorities both in the U.S. and New Zealand. Seven people were arrested and one of the world’s largest sites, possibly the world’s largest file sharing site, went dark.

The move’s timing one day after the Stop Online Piracy Act (SOPA) blackout protests have put this takedown in the spotlight, both as alleged evidence that the act, and its sister act Protect IP (PIPA), were unnecessary, but also dangerous.

However, with the 72-page indictment against Megaupload made public, we have a deeper look at the operations of the controversial site and, for many of us, confirmation that Megaupload appeared to be knowingly and deliberately running a operation that supported piracy.

One of the more interesting elements of the indictment, however, looks squarely at Megaupload’s response to DMCA notices and, specifically, the various ways that it would attempt to thwart DMCA takedowns. These methods not only included selective cooperation with DMCA notices, but also a technical workaround that ensured it was almost impossible to completely remove content from the service.

To understand how this worked, you have to look a bit deeper at the internal workings of Megaupload and how the DMCA filing system worked.

Three People, One File

Megaupload File ImageTo understand the problem, let’s play out a simplified scenario that happened regularly on the site.

Three people all want to make the same movie available for distribution using Megaupload. Each upload a copy of the movie to the service and receive a separate access link to it. However, Megaupload, not wanting to waste file storage space, takes a hash of each file and realizes that they are identical. So, rather than storing three copies of the file, all three links point to the same file on their servers.

This is a common practice among file storage serves and even Dropbox does something similar to both speed up uploads and avoid storing duplicate files.

Megaupload Post DMCAThe problem, however, is what would happen when a copyright holder would file a DMCA takedown notice. Rather than, as the law says, disabling access to the infringing work, Megaupload would simply disable the link specifically mentioned in the takedown notice.

The result is that, though the infringing work would appear to have been removed, only the specific link mentioned would have been taken down and all other links to the file would remain valid even though Megaupload had been put on notice that the file itself was infringing. Copyright holders, however, would likely be unaware of this and would just assume that the other links were separate uploads of the file.

As such, it was almost impossible for a copyright holder to remove all “instances” of a file on the service and Megaupload worked to keep as much infringing content up on their service as possible.

This, in turn, was likely a big part of why Megaupload was so popular among pirates.

How Other Cyberlockers Handle Takedown Notices

The reason this is a problem for copyright holders is that most don’t file DMCA notices against a link, but against a file. However, Megaupload would not remove the actual file and, instead, just disabled the link. To the filer, it would appear that the takedown notice was successful even though the file still remained, it’s just that the known link was disabled.

Unfortunately, there isn’t much that a copyright holder can do about this, especially a smaller one. Megaupload, before its closure, got to keep files infringing files available to pirates and save on storage costs all the while appearing to be compliant with the DMCA when, in truth, they were not.

This, of course, turns the attention of copyright holders (and the government) to other cyberlocker-style sites that, almost certainly, have a similar hashing system to reduce storage costs and could easily use the same trick to limit the effectiveness of takedown notices.

To find out how they handled DMCA takedown notices, I contacted half a dozen different cyberlocker services to find out if their system was similar to Megaupload’s. However, as of this writing only two responded and neither were very straightforward with their replies.

Rapidshare, in addition to attaching a broader statement about Megaupload, said the following:

RapidShare employs an anti-abuse team which is responsible for obtaining information on illegal files from rights holders or third parties, carries out independent searches for illegal files, deletes from the servers any files which infringe copyright, and if necessary, blocks user accounts. RapidShare has also introduced a registration process which customers have to complete, anonymous uploads are not allowed any more.

Likewise, Depositfiles chimed in and said:

We are highly concerned by the criminalization of otherwise civil offence. We are looking thoroughly into the case as creating a precedent will change the whole nature of internet services including major fields of hosting, billing and advertizing (sic).

At the moment we may state that our technical platform and communication model is completely dissimilar to Megaupload’s. Sadly at the time of unease we cannot disclose any additional details for publication.

I will add other hosts’ response if and when they arrive.

Bottom Line

All in all, what this means is simple. When you file a DMCA takedown notice, even if the notice appears to be complied with, it doesn’t always mean that the content is truly gone. Though Megaupload appears to be the exception in this area, undoubtedly there are others using the same or a similar technique to thwart legitimate notices.

Fixing this problem will not be easy and, in the meantime, the most rightsholders can do is be aware of the problem and be vigilant against it.

Hopefully a more robust solution to this problem can be found soon and both legitimate file hosting sites and rightsholders can rest a bit easier at night.

Want to Republish this Article? Request Free Permission Here. It's Free.


  1. @plagiarismtoday – Nearly all filehosting services with PPC Arrangements employed such a practice (Filesonic, Wupload etc).

    • @Adam Senour Honestly, I’m surprised I got any response (and still only got 2 out of 6) because there isn’t much to be gained by commenting on this issue. If they follow the DMCA, pirates will go elsewhere, if they don’t, they’re next under the gun. Best to keep the “secret sauce” secret for now I guess…

      • @plagiarismtoday True, but if you’re going to answer…at least answer with something that indicates that you’re taking it seriously. They gave the “I’m going to get my company name out somewhere so here’s some quickly-concocted dreck” answers.

        • @Adam Senour Very true. The answers couldn’t have been more boilerplate if they had actually been written on a boilerplate…

  2. I am constantly sending DMCA notices to file sharing sites. Almost always the links are removed but, as explained above, my files soon return. (My hunch is the sites often put them back themselves under invented names. But who knows?) Even search sites like nitrodownloads will remove links when asked. I have not, however, figured out how to apply the DMCA to alt.binary newsgroups. I am thinking specifically of alt.binaries.boneless but they aren’t the only ones. Is there a way to get a DMCA notice to an alt.newsgroup? Would it even apply to a newsgroup?

  3. Wow! I’ve said it a few times, but I’ll say it again: these people are not good guys.

    Here’s why this is such a big deal: Megaupload had the ability to identify multiple copies of the same file. For a legitimate company, this means that they can easily remove a given, specific file, all copies of it and block it from being uploaded again. But, instead of doing that, they used that data to make more money, by consolidating their own hosting of files to lower their overhead on files that they knew were in violation of copyright infringement. If true, this is heinous.

    You can argue, all day, about how reliability of file hashes but when Megaupload took that data and used it for their own profit in blatant disregard of the rights of others, they made that argument moot.

    Any file hosting services that view themselves as legitimate businesses must distance themselves from organizations like Megaupload, very clearly.

  4. in Holland would not take a film down if DMCA’d. They allowed uploaders to load once then generate as many randomly named links to the file as they liked. They only removed the link the DMCA refers to and not the original film. They also had (until today) a commission paying affiliate programme based on numbers of downloads and commission paid to the uploader for people signing up to oron’s premium services via their link for the ‘stolen’ film.