How to distinguish
Legit copyright takedowns
From some phishing traps
While it’s safe to delete and ignore most phishing emails – such as one from a mysterious foreign prince offering you a share of his fortune – it’s a headache to have to worry about whether what appears to be a Digital Millennium Copyright Act (DMCA) takedown notice is legitimate or a potential danger.
Any operator of a website that allows users to post content on a site without the operator’s direct involvement needs to be aware of, and comply with, the DMCA.
For example, a website might allow users to directly post:
- Comments and questions on news or blogs
- Forum comments and replies
- Listings of goods and services for sale
- Creative works, such as articles, poems, artwork, etc.
- Reviews of books, movies, music, etc.
Title II of the DMCA, the Online Copyright Infringement Liability Limitation Act (“OCILLA”), creates a “safe harbor” for online service providers (including website operators) if they follow certain procedures.
If users/visitors can’t post anything directly to a website, then the safe harbor isn’t relevant. A website operator isn’t protected from liability for infringing material posted directly by the operator, or by others working for the operator (such as the operator’s employees or contractors).
Under 17 U.S. Code § 512(c),
A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider, if the service provider—
does not have actual knowledge that the material or an activity using the material on the system or network is infringing;
in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent; or
upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material;
does not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity; and
upon notification of claimed infringement as described in paragraph (3), responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.
To take advantage of the protections of the DMCA, a website operator must designate a DMCA agent.
A DMCA agent can be any person who works with or for the website operator. No special skill, training, or certification is required.
The DMCA agent is the person a copyright owner can notify if there’s allegedly infringing material posted by users on a website. The agent is responsible for reviewing the material and removing it if appropriate.
VERY IMPORTANTLY, a DMCA agent must be REGISTERED with the US Copyright Office. If a DMCA agent isn’t registered, then the website operator isn’t protected from liability under the safe harbor.
Registering a DMCA agent is a fast, simple, and inexpensive process that starts with creating a DMCA Designated Agent Registration Account. A copyright attorney isn’t needed to help with this.
A company that receives a DMCA takedown notice must respond to it promptly and properly or risk being held liable for the user’s infringement. That’s why something that appears to be a DMCA notice – as opposed to the usual spam – must be taken seriously.
How can you tell if a takedown email is legit or not?
- If you don’t have any user content on your website, it’s less likely that someone would send you a DMCA takedown notice. It’s more likely that you’d get a cease-and-desist notice from a copyright lawyer if you’ve posted allegedly infringing material yourself.
- If you have properly designated a DMCA agent in your Terms of Service, only that person should be getting DMCA takedown notices. If someone other than the agent is getting such emails, those emails are more likely to be phishing scams.
The safest course of action with any suspected phishing email is to forward it to your IT department so it can be opened, and any links clicked, in a secure environment.
Phishing emails can also be reported to the FTC.
Just like the haiku above, we like to keep our posts short and sweet. Hopefully, you found this bite-sized information helpful. If you would like more information, please do not hesitate to contact us here.