Cloudflare liable for copyright infringement by providing CDN services but not for DNS resolver services

After the German Supreme Court set a high bar for obtaining a website blocking order against Internet service providers in DNS-Sperre (IPKat here), the Higher Regional Court of Cologne dealt with the question whether the provider of DNS resolver and CDN services can be liable for copyright infringement if it provides its services to the operators of websites with illegal content.

DNS means ‘domain name system’. Every domain has a unique Internet Protocol (‘IP’) address, consisting of four numbers. Since it is not very practical to remember such numbers, domain names such as https://ipkitten.blogspot.com/ were introduced. The job of a DNS resolver service is to connect the domain name with the IP address. A more detailed description can be found here.

CDN means ‘content delivery network’. It is a network of servers that are distributed globally. It caches a website’s content on servers close to the end users, which increases the performance of the website. A more detailed description can be found here.

Background

The plaintiff owned the recording rights to the songs of German musician Sarah Connor. The website ddl-music.to provided a download link to one of her music albums without hosting the album itself. Cloudflare provided DNS resolver and CDN services to the operator of ddl-music.to.

The plaintiff sued Cloudflare for copyright infringement. The District Court held Cloudflare liable on account of its DNS resolver and CDN services. Cloudflare appealed.

 

The Higher Regional Court’s decisions

The Higher Regional Court of Cologne partially upheld the appeal (case 6 U 149/22). It found that Cloudflare was liable for copyright infringement due to providing the CDN services but not for the DNS resolver services.

Copyright infringement on ddl-music.to

It was obvious to the judges that the download links provided on ddl-music.to infringed the plaintiff’s right under the German equivalent of Art. 3(2)(b) InfoSoc Directive. According to GS Media (case C-160/15, IPKat here and here) merely providing links to copyright infringing content constitutes ‘communication to the public’ if this is done for financial gain in knowledge of the illegal nature of the publication of the protected work.

ddl-music.to was considered to be an obviously infringing website. It contained, according to its own statements, over one million download links to the latest charts, albums and audiobooks. Additionally, the website’s host provider BlueAngelHost stated on its website:

Our servers are located in Offshore location (Bulgaria) which enable us to offer DMCA Ignored Hosting services, total privacy, data security, and wider range of accepted content.

and

“Why You Need it?“: 

Purchasing USA-based hosting for a site that is not legal to be run in America is not a sensible thing to do. Offshore hosting can be helpful for less scrupulous business who wish to bypass local laws or regulations, particularly for issues like copyright law, which is also known as no DMCA hosting.

After confirming the unlawfulness of the link on ddl-music.to, the Court dealt with Cloudflare’s liability as a service provider. The judges held that the CJEU’s case law on the liability of host providers (YouTube and Cyando, cases C-682/18 and C-683/18, IPKat here) applied to other providers that play an ‘indispensable role’ within the meaning of the CJEU’s case law.

No liability for DNS resolver services

As regards the DNS resolver services, the Court found that they did not play an ‘indispensable role’ for the making available of Sarah Conner’s music album.

Cloudflare’s DNS resolver was neither necessary to find the IP address of ddl-music.to nor did it make the access easier. Cloudflare’s DNS resolver is one of several freely available DNS resolvers. The Court also considered that such services are merely passive, automatic and neutral for the connection of domain names and IP addresses. Therefore, the Court found that a DNS service provider is comparable to an access provider. The latter’s liability required not only a clear notice of an obvious infringement but also that the plaintiff used best efforts to take action against the operator of the website or other service providers which are closer to the infringement (e.g. the host provider). Since the plaintiff did not show that it was impossible or unpromising to take action against the website operator or host provider, the conditions for liability were not met.

For the same reasons, the Court denied a website blocking order on the basis of the German transposition of Art. 8(3) of Directive 2001/29/EC.

Further, Cloudflare could rely on the domestic provision corresponding to Art. 12 E-Commerce Directive, exempting service providers for the transmission of information from liability. As of 17 February 2024, the DSA will partially amend the E-Commerce Directive. The rules on liability exemptions and monitoring obligations in Artt. 12 to 15 E-Commerce Directive will be replaced by Artt. 4, 5, 6 and 8 DSA (Art. 89 DSA). Therefore, the Higher Regional Court considered Recitals 28 and 29 DSA, which explicitly mention DNS resolvers and their exemption from liability (in particular under Art. 4 DSA, which is essentially identical to Art. 12 E-Commerce Directive). On that basis, the judges found that DNS service providers are covered by Art. 12 E-Commerce Directive.

Liability for CDN services

The Court held that Cloudflare’s CDN services played an ‘indispensable role’ for making the copyright infringing content on ddl-music.to available to the public. The website could only be accessed by using the CDN.

An ‘indispensable role’ is a necessary but not a sufficient condition for liability. Further criteria also spoke in favour of Cloudflare’s significant contribution to the infringement:

• There is an inherent possibility to abuse Cloudflare’s services for illegal activities.
• Cloudflare temporarily saved parts of the website not only for the time that is necessary to transmit the data.
• Cloudflare also protected the website by controlling access to it.
• The IP address of the website was not visible. A Whois search only showed the IP address of Cloudflare.
• Cloudflare provided an abuse form but did not make the IP addresses of its customers available even after reporting a website with illegal content.

Cloudflare could not rely on the liability exemption of Art. 12 E-Commerce Directive because their CDN services were not limited to the mere transmission of communication. The Court also found that the exemption in Art. 13 E-Commerce Directive regarding caching did not apply. According to Cloudflare’s terms and conditions, it may store the customer’s website for more than a year, which the judges did not consider temporary anymore. Further, the CDN services’ purpose was not only to make the information’s onward transmission more efficient but also to make it more secure. This purpose is not covered by Art. 13 E-Commerce Directive. Finally, Cloudflare’s terms and conditions allowed it to alter certain information of their customer’s website in order to enhance the security of the website or the functionality of their could services. Modification of the information prevents the exemption from applying (Art. 13(1)(a) E-Commerce Directive).

Comment

It seems questionable to argue that the DNS resolver services did not make the access to the website easier. The IP addresses of infringing websites are usually concealed, which makes finding (and therefore accessing) them quite difficult. And why should it matter that Cloudflare is not the only provider of DNS resolver services? Should someone be absolved from liability just because someone else could support the illegal activities?


Picture is by Klinko and used under the licensing terms of pixabay.com.