The Wikileaks Injunction Case
posted by Bruce Boyden
Since it involves a blend of civil procedure, internet law, and copyright — i.e., my entire teaching package — I really have no excuse for not posting on the Wikileaks injunction matter. For those who have not been following it, a Swiss bank with a branch in the Cayman Islands, Bank Julius Baer (“BJB”), filed suit against the website Wikileaks.org in federal court in California and obtained a pair of emergency orders essentially shutting the domain name down. Wikileaks is a user-edited website, much like Wikipedia, but where the purpose is not to post encyclopedia entries, but rather leaked documents from governments and private entities. BJB argued as a basis for the orders that someone, allegedly a former employee, posted stolen documents revealing confidential aspects of BJB’s operations.
The orders require the domain name registrar, Dynadot, to point the wikileaks.org domain name to an empty page. This doesn’t shut down the site, exactly, it just makes it harder to find. It’s like an order to a telephone company ordering a vanity 1-800 number like 1-800-BBOYDEN disconnected. Sure, you can still reach me on my cell and work numbers, but you’ll have to go look those up and most people won’t bother. (Note: I don’t actually have a 1-800 number — it’s a hypothetical.) The “Order Granting Permanent[!] Injunction” and “Amended TRO and Order to Show Cause re Preliminary Injunction,” both dated Feb. 15, are available online, as is the entire court docket, via Justia. (See Michael Froomkin’s discussion of why the relationship between the two orders is confusing.)
There’s lots of focus on the broader question of whether domain-name-disabling is a prior restraint barred by the First Amendment. I want to focus on several lesser but still interesting nuggets: the overlooked privacy interests at stake, the role of the DMCA, the breadth of TROs in the internet age, and “futility” arguments against anti-leak injunctions based on internet distribution.
1. The Privacy Component. BJB’s moving papers are a little sketchy, but BJB claims that at least some of the records in question contain client information such as names and account numbers. Whether or not yanking the domain name is justifiable, a TRO or preliminary injunction ordering immediate removal of those documents, allegedly stolen from the bank, should not raise First Amendment concerns. It’s unclear, however, how much of the records actually contain such client data, and how much contain merely embarrassing internal bank operation details, where the justification for removal would be subject to trade secret law. The California Supreme Court’s decision in DVD CCA v. Bunner indicates that it might be difficult to establish, in a case like this, that “publication of these trade secrets on the Internet has not destroyed their trade secret status,” a necessary element of a trade secret claim for an injunction against someone other than the original thief.
2. There’s a Lot of Confusion Over the DMCA Notice-and-Takedown Procedures Here. The Wikileak orders were preceded by a period of correspondence between BJB’s lawyers in California and Wikileaks concerning Wikileaks’s contact address for DMCA takedown notices. The correspondence is odd on both sides. First, there is BJB counsel’s insistence that Wikileaks identify the contact address for DMCA takedown notices, which “under US federal copyright law, it is your legal obligation to provide.” Wrong. This is something my students get confused about all the time. Section 512, which contains the DMCA designated agent provision, does not obligate ISPs to do anything. It provides an immunity from contributory infringement liability, and conditions that immunity on jumping through various hoops — one of which is providing the contact address. So, BJB’s lawyers should have been saying, “if you want to keep your immunity, you’d better send me that address now.”
Wikileaks looks confused too. They have a DMCA takedown policy on their site, but it does not actually provide the contact details for Wikileaks’ agent for receiving a DMCA notification. Rather, it provides an email address — in January, firstname.lastname@example.org — where you can email to ASK for the contact information. Wikileaks says that if you do that, “[y]ou will then be provided with contact details for the Wikileaks Agent.”
That doesn’t appear to me to comply with Section 512. 17 U.S.C. s 512(c)(2) requires that, in order to preserve its immunity for information posted by a third party on the ISP’s servers, the ISP must “mak[e] available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information: (A) the name, address, phone number, and electronic mail address of the agent.”
Wikileaks might have a claim that nevertheless it qualifies for the DMCA safe harbor IF emailing email@example.com resulted in an immediate response containing the contact information. But that’s not what Wikileaks does — take a look at the correspondence. (There’s also the problem that it hasn’t sent anything to the Copyright Office.) Instead, Wikileaks wrote back to BJB’s lawyers and asked for all sorts of details about their claims before they would send the contact information. Wrong again. The details about the claim are supposed to be in the takedown notice — which BJB CAN’T SEND until it has the contact information. Wikileaks’ procedure reminds me of the classic Dilbert cartoon: Dilbert: “I can’t log onto the network.” Tech support guy: “Send me an e-mail about it.”
3. If BJB Had Managed to Send a Takedown Notice, Could It Have Been Sanctioned for Taking Down Documents Subject to a Meritorious Fair Use Defense? BJB is probably fortunate it wasn’t able to get the DMCA contact information and instead decided to seek relief directly in court. If they had sent a takedown notice, that would have put BJB roughly where Diebold, the maker of electronic voting equipment, was a couple of years ago. In 2004, some people managed to get a hold of an internal email archive from Diebold discussing problems with its equipment, and circulated it over the web. Diebold sent a takedown notice and had one of the archive copies taken down — along, incidentally, with an entire ISP that was hosting a link to it, a situation somewhat reminiscent of this one.
Diebold was sanctioned by a federal court in California for its actions under Section 512(f), which provides: “Any person who knowingly materially misrepresents under this section … that material or activity is infringing … shall be liable for any damages, including costs and attorneys’ fees, incurred by the alleged infringer, … or by a service provider, who is injured by such misrepresentation….” The court held that “[n]o reasonable copyright holder could have believed that the portions of the email archive discussing possible technical problems with Diebold’s voting machines were protected by coyright,” and that therefore claiming copyright infringement was a knowing material misrepresentation.
Taken at face value, Online Policy Group v. Diebold holds that any DMCA takedown notice referencing material that includes some portion subject to a fair use defense violates Section 512(f). That clearly goes too far. All material is subject to a fair use defense, if a small enough portion is taken. Each individual word of every copyrighted work on the planet, taken by itself, is a fair use of that word. So that clearly won’t do. There’s also language, however, in the Diebold opinion — although it’s unclear how it constitutes a 512(f) violation — that indicates that the court was most concerned that Diebold’s real aim was not in protecting its copyrights, but in using Section 512 “as a sword to suppress publication of embarrassing content.” The problem is that Section 512 does not require that the copyright owner state that its primary purpose is to defend its copyrights; therefore bringing suit for a different primary purpose does not constitute a misrepresentation, so long as the material is actually subject to copyright. Nevertheless, to the extent this “purpose” element is being read into Section 512(f), BJB might have been vulnerable.
4. Isn’t an Injunction That Extends to “All Others Who Receive Notice of This Order” Ridiculously Overbroad? Yes and no. (See also Michael Froomkin’s discussion of this point, and particularly the comments.) Rule 65(d) limits a court’s power to restrain to parties and “those persons in active concert or participation with [parties] who receive actual notice of the order by personal service or otherwise.” The actual TRO, however, applies by its terms to “all those in active concert or participation with the Wikileaks Defendants, and each of them, and all others who receive notice of this order.” The words “and all others” are I think redundant and should have been deleted — this looks to me like a typo.
The real question is what it takes to act in “active concert or participation” with Wikileaks. Does it take an express agreement, or is it enough for someone to say to themselves, “To heck with the TRO, I’m going to do my bit for democracy and mirror these documents!” Without researching this issue in detail, my intuition is the latter is sufficient to bring someone within a properly framed injunction. Fred von Lohmann has helpfully added a list of cites in the comments of Froomkin’s post on this point.
So does that mean that everyone who looks at the orders and then posts a mirror site, anywhere in the country, is subject to contempt of court sanctions in California? I think this is yet another area where are intuitions are bended by the internet. Pre-internet, how would someone get notice of an injunction? Likely because the plaintiff’s attorneys SENT the injunction order to the person, after hearing that they were assisting the defendants. That’s not conclusive proof of involvement, of course, but the potential scope of persons who would come within a court’s injunction that way is necessarily limited.
Not so with both the order and the prohibited documents available online for anyone to find and make use of. Now the potential scope of even a properly crafted Rule 65(b) order is huge.
5. BJB’s Litigation Is Doomed to Fail, as It Is Attempting to Stuff the Genie Back in the Bottle. Or, in legal terms, any injunction against information made available on the internet is “futile” and therefore should be denied. This post is already huge and this topic could take up a whole post all by itself. But suffice it to say that although this argument is often made, I believe it receives too little criticism. I believe it falsely assumes that because all websites are available to everyone, that therefore all websites are EQUALLY available to everyone. This is the essence of the “Darknet” critique of Digital Rights Management. But that’s just plainly false, as someone who has a low Google ranking can tell you. BJB’s litigation could in theory achieve some sort of success, depending on BJB’s goals, if it makes the documents harder for some people to find.
Given BJB’s likely goals, however, this injunction seems unlikely to succeed in even my sense. That is, the people BJB is worried about getting a hold of the information — criminals (for the personal data), competitors, and perhaps reporters — are unlikely to be deterred by barriers such as needing to find an obscure mirror site. This is not a case where a company is attempting to preserve some portion of a broad market for the information that is being eaten away at by infringement. Rather, BJB is attempting to keep the information away from even a few experts. That would require complete stifling of the information, which seems unlikely.
It’s possible, and perhaps more likely, that BJB knows this, and is simply attempting a PR move here — we will do what it takes to go after people who attempt to take your (or perhaps our) data. If so, then this suit might make more sense; although the backlash from shutting down the entire domain name may prove a tactical victory that results in a strategic blunder.