Following the example set by United States, the EU started publishing its very own piracy watchlist in 2018.
The biannual ‘Counterfeit and Piracy Watch List’ is put together by the European Commission. As in the US, it is based on submissions from copyright holder groups that report on problematic sites and services.
Rightsholders are happy to contribute. In addition to pointing out sites and services that blatantly engage in copyright-infringing activities, they also use the opportunity to request broader cooperation from third-party services. In some cases, this leads to concrete suggestions that go beyond what the law requires.
Listing Anti-Piracy Demands
For example, in their latest submission, music industry group IFPI suggested that third-party services should implement robust “know your customer” policies. This also applies to the popular CDN and proxy service Cloudflare.
“CloudFlare should exercise due diligence in confirming who its customers are and establishing their proposed and actual activities,” IFPI wrote.
Other rightsholder groups made similar suggestions. For example, the movie industry’s MPA stressed that online intermediaries such as CDNs, domain registrars and hosting companies, should stop offering their services to customers who are not properly verified.
These are understandable requests from rightsholders, who can use every bit of information to track down the operators of problematic sites. However, these verification demands are not cemented in EU legislation, so services are not legally required to vet all customers.
Cloudflare Asks the EU to Focus on ‘Illegal’ Acts
That last point was also highlighted by Cloudflare, which sent a rebuttal to the EU commission after it was flagged by several rightsholders as a potential candidate for the piracy watchlist.
The San Francisco company has millions of customers all over the world. These include governments and copyright holders but also many smaller sites that take advantage of the platform’s CDN and security features.
In its rebuttal, Cloudflare supports the watchlist initiative. However, it urges the EU to keep the listed sites and services limited to those that actually appear to act against the law, not those who fail to comply with all copyright holders’ wishes.
“The Commission should not issue a report – even an informal one – that is simply a mechanism for particular stakeholders to air their grievances that entities are not taking particular voluntary action to meet their concerns or to advocate for new policies.”
Listing companies such as Cloudflare solely based on complaints from copyright holders could give the impression that the EU supports these allegations, the company argues. That could potentially impact ongoing legal discussions and policy debates.
“Our view is that the Commission’s staff document and Watch List should be limited to Commission-verified allegations of illegal behaviour, based on principled and fair legal standards,” Cloudflare notes.
‘Verification is an Indirect Security Threat’
In addition to this broader criticism, the company also argues that some of the demands from rightsholders could prove to be problematic. For example, an extensive verification process would involve significant costs which could mean that the company is unable to maintain its free tier.
As a result, smaller sites may lose the benefit of the free protection that’s offered, because they can’t afford to pay for the service.
“Altering this online sign up process, which is consistent with existing law, to require manual review of new accounts would make it impossible to offer these free services at scale, degrading the Internet experience for all users and making much of the web more vulnerable to cyber attack,” Cloudflare writes.
The CDN provider also stresses that it already goes beyond what the law requires to help rightsholders. For example, it works with “trusted notifiers” who can request the origin IP addresses of problematic sites, when these are flagged.
These and other voluntary measures were previously highlighted in a separate submission to the US Government as well. According to Cloudflare, the company is showing its good will while operating in line with all applicable laws.
Several of the rightsholder groups complaining about Cloudflare are also “trusted notifiers”. While this indeed helps to find out where sites and services are hosted, they believe it’s not enough.
IFPI, for example, mentions that Cloudflare apparently does very little to address customers for which it receives a large volume of complaints.
“[N]otices or requests for information under the ‘trusted flagger’ program should result in meaningful action vis-à-vis the customer. The program needs to feed into a repeat infringer policy, yet in the case of CloudFlare, there is no evidence that it does.”
It is clear that copyright holders and Cloudflare have different takes on how to tackle the piracy problem. Whether the EU believes that this warrants a mention on the piracy watchlist has yet to be seen.
Cloudflare was mentioned in the EU’s first watchlist in 2018, but was taken off the next version. If it’s up to the San Francisco CDN provider, it will stay off the list in future.
“The Watch List is not the appropriate place for advocacy on new policies as to what online service providers should collect on their users,” the company writes.