Id: 82

As the story from part 1 goes, I’ve received a DMCA takedown notice based on some content that was apparently sent through the Tor relay I just started running on this server. The first thing I did was to ask for advice on the Slicehost forum, thinking that maybe someone else on the forum had run across this problem before. No luck, though — it looks like I’m going to be the guinea pig (at least among Slicers) on this one, as a few other Slicehost customers have expressed interest in seeing the way the issue turns out.

As I suspected, the problem of DMCA takedown notices based on Tor activity is not without precedent, and to that end the EFF has written a template response to DMCA notifications. The template explains that Tor merely acts as a conduit for information, not as a host, and thus it falls under the “safe harbor” provisions in 17 U.S.C. § 512(a). (Before I start on the explanation, I need to make the obligatory disclaimer that I am not a lawyer!! I have no formal training, or even informal training, in legal matters. The law I’m dissecting in this post seems reasonably clear, but that’s no guarantee that anything here is correct.)

The legal reference piqued my curiosity, so here’s the actual text of subsection (a):

A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the provider’s transmitting, routing, or providing connections for, material through a system or network controlled or operated by or for the service provider…

Well guess what, that’s exactly what Tor is. It provides a connection for routing material through a computer system controlled by me, the service provider.

or by reason of the intermediate and transient storage of that material in the course of such transmitting, routing, or providing connections, if—

Tor probably has some kind of (extremely) transient cache, since it’s nearly impossible to do anything without one, so let’s look at these conditions:

(1) the transmission of the material was initiated by or at the direction of a person other than the service provider;

(2) the transmission, routing, provision of connections, or storage is carried out through an automatic technical process without selection of the material by the service provider;

(3) the service provider does not select the recipients of the material except as an automatic response to the request of another person;

(4) no copy of the material made by the service provider in the course of such intermediate or transient storage is maintained on the system or network in a manner ordinarily accessible to anyone other than anticipated recipients, and no such copy is maintained on the system or network in a manner ordinarily accessible to such anticipated recipients for a longer period than is reasonably necessary for the transmission, routing, or provision of connections; and

(5) the material is transmitted through the system or network without modification of its content

It seems pretty clear to me that all five of those conditions describe Tor. They’re practically the definition of an anonymizing proxy.

One thing left to check is subsection (j), to make sure I’m not liable for “injunctive or other equitable relief.” It’s a long one but here are the highlights:

If the service provider qualifies for the limitation on remedies described in subsection (a), the court may only grant injunctive relief in one or both of the following forms:

(i) An order restraining the service provider from providing access to a subscriber or account holder of the service provider’s system or network who is using the provider’s service to engage in infringing activity and is identified in the order, by terminating the accounts of the subscriber or account holder that are specified in the order.

Tor doesn’t have accounts, so good luck with that…

(ii) An order restraining the service provider from providing access, by taking reasonable steps specified in the order to block access, to a specific, identified, online location outside the United States.

Presumably “specific, identified, online location” means an IP address. That’s fine; I have no problem blocking access to an IP address if there’s enough evidence to convince a court that it’s a chronic copyright infringer. But the nature of Tor makes producing that evidence pretty difficult, if not impossible.

(2) Considerations.— The court, in considering the relevant criteria for injunctive relief under applicable law, shall consider—

(C) whether implementation of such an injunction would be technically feasible and effective, and would not interfere with access to noninfringing material at other online locations

Again, because of the nature of Tor, you can’t really put in specific blocks based on what kind of traffic is passing through your relay or where it’s coming from. In fact, according to the Tor legal FAQ, doing so could even be against the law.

In summary, I’m sufficiently convinced that Tor activity is not illegal. But there’s another issue: a lot of ISPs have terms of service which restrict considerably more than the U.S. code does, and even though running a Tor relay may be legal, it could still be a ToS violation, which is not much better. That may, in fact, be the case here: transferring copyrighted material via Tor might be a violation of Slicehost’s terms of service. I’m not really sure what the exact nature of the violation would be — the ToS carefully avoids mentioning transfer of copyrighted material as a prohibited activity in and of itself — but I’m hoping that will be cleared up shortly. I’m not trying to get away with letting this copyrighted material float around freely, I just want to keep my website up and my relay running.

As things stand now, I’ve replied to the original DMCA notice with a variant of the EFF’s template letter (which I hope to post later on), basically stating that I haven’t done anything illegal and I’m very interested in working this issue out to everyone’s satisfaction. We’ll see what happens with that.

— The chronology of my DMCA experience continues in part 3. —