Megaupload’s DMCA Shell Games

Megaupload LogoOn January 19, was seized by the U.S. Federal government in an action that involved authorities both in the U.S. and New Zealand. Seven people were arrested and one of the world’s largest sites, possibly the world’s largest file sharing site, went dark.

The move’s timing one day after the Stop Online Piracy Act (SOPA) blackout protests have put this takedown in the spotlight, both as alleged evidence that the act, and its sister act Protect IP (PIPA), were unnecessary, but also dangerous.

However, with the 72-page indictment against Megaupload made public, we have a deeper look at the operations of the controversial site and, for many of us, confirmation that Megaupload appeared to be knowingly and deliberately running a operation that supported piracy.

One of the more interesting elements of the indictment, however, looks squarely at Megaupload’s response to DMCA notices and, specifically, the various ways that it would attempt to thwart DMCA takedowns. These methods not only included selective cooperation with DMCA notices, but also a technical workaround that ensured it was almost impossible to completely remove content from the service.

To understand how this worked, you have to look a bit deeper at the internal workings of Megaupload and how the DMCA filing system worked.

Three People, One File

Megaupload File ImageTo understand the problem, let’s play out a simplified scenario that happened regularly on the site.

Three people all want to make the same movie available for distribution using Megaupload. Each upload a copy of the movie to the service and receive a separate access link to it. However, Megaupload, not wanting to waste file storage space, takes a hash of each file and realizes that they are identical. So, rather than storing three copies of the file, all three links point to the same file on their servers.

This is a common practice among file storage serves and even Dropbox does something similar to both speed up uploads and avoid storing duplicate files.

Megaupload Post DMCAThe problem, however, is what would happen when a copyright holder would file a DMCA takedown notice. Rather than, as the law says, disabling access to the infringing work, Megaupload would simply disable the link specifically mentioned in the takedown notice.

The result is that, though the infringing work would appear to have been removed, only the specific link mentioned would have been taken down and all other links to the file would remain valid even though Megaupload had been put on notice that the file itself was infringing. Copyright holders, however, would likely be unaware of this and would just assume that the other links were separate uploads of the file.

As such, it was almost impossible for a copyright holder to remove all “instances” of a file on the service and Megaupload worked to keep as much infringing content up on their service as possible.

This, in turn, was likely a big part of why Megaupload was so popular among pirates.

How Other Cyberlockers Handle Takedown Notices

The reason this is a problem for copyright holders is that most don’t file DMCA notices against a link, but against a file. However, Megaupload would not remove the actual file and, instead, just disabled the link. To the filer, it would appear that the takedown notice was successful even though the file still remained, it’s just that the known link was disabled.

Unfortunately, there isn’t much that a copyright holder can do about this, especially a smaller one. Megaupload, before its closure, got to keep files infringing files available to pirates and save on storage costs all the while appearing to be compliant with the DMCA when, in truth, they were not.

This, of course, turns the attention of copyright holders (and the government) to other cyberlocker-style sites that, almost certainly, have a similar hashing system to reduce storage costs and could easily use the same trick to limit the effectiveness of takedown notices.

To find out how they handled DMCA takedown notices, I contacted half a dozen different cyberlocker services to find out if their system was similar to Megaupload’s. However, as of this writing only two responded and neither were very straightforward with their replies.

Rapidshare, in addition to attaching a broader statement about Megaupload, said the following:

RapidShare employs an anti-abuse team which is responsible for obtaining information on illegal files from rights holders or third parties, carries out independent searches for illegal files, deletes from the servers any files which infringe copyright, and if necessary, blocks user accounts. RapidShare has also introduced a registration process which customers have to complete, anonymous uploads are not allowed any more.

Likewise, Depositfiles chimed in and said:

We are highly concerned by the criminalization of otherwise civil offence. We are looking thoroughly into the case as creating a precedent will change the whole nature of internet services including major fields of hosting, billing and advertizing (sic).

At the moment we may state that our technical platform and communication model is completely dissimilar to Megaupload’s. Sadly at the time of unease we cannot disclose any additional details for publication.

I will add other hosts’ response if and when they arrive.

Bottom Line

All in all, what this means is simple. When you file a DMCA takedown notice, even if the notice appears to be complied with, it doesn’t always mean that the content is truly gone. Though Megaupload appears to be the exception in this area, undoubtedly there are others using the same or a similar technique to thwart legitimate notices.

Fixing this problem will not be easy and, in the meantime, the most rightsholders can do is be aware of the problem and be vigilant against it.

Hopefully a more robust solution to this problem can be found soon and both legitimate file hosting sites and rightsholders can rest a bit easier at night.