Safe-harbor compliance for FOSS projects

By Aaron Williamson | April 2, 2013

“DMCA” is a four-letter word among free and open source software developers, and for good reason: the 1998 act criminalized an entire category of programs and has been grossly misused in numerous cases. It’s in the news yet again this week, as activists are fighting to make it legal to carrier-unlock cellphones despite the Librarian of Congress’s decision not to exempt unlocking from the DMCA’s anti-circumvention rules.

But the anti-circumvention rules are only one part of the DMCA—it also put in place the safe harbors that protect online services from liability for their users’ activity. These too have been the subject of some controversy, as large content owners have routinely abused the notice-and-takedown process to censor materials protected by fair use. But they’ve also done a lot of good. Before, it was difficult for service providers dealing with user-uploaded content to predict their potential liability for the infringing activity of their users. The safe harbors provide clear rules for avoiding secondary liability related to user content.

Why free and open source software projects should care about safe-harbor compliance

Popular content hosting sites like YouTube are the most common targets for infringement claims related to user content, but they’re not the only ones who can benefit from the safe harbor. Any online service that allows users to post content—whether multimedia, software, or text—can be used for infringement and exposed to liability.

Free and open source social networking and content-hosting services are obvious candidates for the safe harbor, but even projects whose software isn’t hosted should take a look at their online presence. Does the project host a source code or add-on repository? Forums, project management software, or other collaboration tools? Any online tool that allows users to post content potentially risks secondary liability.

Obviously, the risk depends upon the service: a source code repository accessible to a few trusted developers may be relatively safe, while a photo-sharing site with open registration is more likely to run into trouble. Whether a DMCA policy makes sense for your project depends on your particular situation, but its a question worth considering carefully: a compliant policy gives you a solid defense to claims related to user activity and without one, dealing with even a bogus claim could cost significant time, effort, and even legal expense.

How to qualify for the safe harbor

Qualifying for the safe harbor involves some one-time eligibility requirements and well as some continuing obligations. The up-front requirements are pretty simple:

  1. Designate someone to receive notices from copyright holders about infringing content. You have to provide the person’s name, address, phone number, and email address to the Copyright Office (by mailing in a form) and post the same information publicly on your website.
  2. Adopt a policy for terminating the accounts of users who repeatedly infringe copyrights. The law doesn’t say what the acceptable bounds of such a policy are except that it must be “reasonably implemented,” leaving projects some room to determine what an appropriate policy looks like for their users.

Ongoing compliance: notice & takedown

Once you’ve met the initial qualifications for the safe harbor, you have to observe a few rules to remain in compliance. The most important are the rules about responding to infringement notifications:

  1. When you receive a valid infringement notification, you must “respond expeditiously” to remove the allegedly infringing content or disable access to it. The law doesn’t define “expeditiously,”, but a good rule of thumb is to act within a week. To be valid, a notice must meet the seven notice requirements in the law, e.g. it must be signed by an agent of the copyright holder, must adequately identify the allegedly infringing content, etc.—you are not required to judge for yourself whether the material is actually infringing. You are also not required to act upon a notice that “substantially fails to comply” with the notice requirements. But you should be careful about ignoring any notice, because…
  2. If you become aware of infringement you must remove or disable access to the infringing content regardless of whether you receive a valid notice. An invalid notice may be sufficient to make you legally “aware” if it contains contact information for the sender and properly identifies both the infringing content and the copyrighted work infringed. However, mere suspicion is not enough—before you have an obligation to remove content, the fact that it’s infringing must be “apparent.”
  3. When you remove content, you have to notify the user who posted it. If the user sends you a valid counter-notification claiming a good-faith belief that the material was removed because of a mistake or misidentification, you must:
    1. notify the sender of the original notification that you will put the content back up in 10 business days; and then…
    2. put the content back up after 10 business days. (You cannot put the content back up before 10 business days have passed, nor can you wait longer than 14 business days to put it back up.) But, if you receive notice from the copyright holder that he or she has “filed an action seeking a court order” to prevent the user’s alleged infringement, you are not required to put the content back up.

In addition to these important rules, you may not “interfere with standard technical measures” used to identify or protect copyrighted works. While this may sound like a requirement to enforce DRM, it’s quite limited. It requires no affirmative accommodation of DRM, just non-interference. And it essentially only applies to widely adopted standards. In short, if you’re not actively stripping DRM or copy-control information off of uploaded files, it’s probably not something you need to pay much attention to.

While the only information you’re required to post on your site is the contact information of your DMCA agent, most services include a bit more information about how they deal with DMCA claims. This can be a good way to discourage illegitimate infringement notifications and also to tell users how to submit a counter-notification if their content falls victim to an overzealous copyright holder. The Electronic Frontier Foundation’s copyright policy includes a good example of a DMCA policy with an advocacy component.

You should put the DMCA agent’s information (and anything else you choose to include) somewhere readily accessible. If you have terms of service or a similar site-wide usage policy, you can put your DMCA policy there. Alternatively, you can create a stand-alone DMCA/copyright policy and put a link in your site’s footer or another easily accessible location.


There’s unquestionably some irritating bureaucracy involved, but qualifying for the safe harbor isn’t difficult, and can save projects a lot of time and trouble. Not every site or service is at risk of infringement claims for user content, but if your site or service allows users—particularly anonymous or otherwise untrusted users—to post content, you should consider putting a safe harbor policy in place.

Please email any comments on this entry to

Other SFLC blog entries...