M&E Daily

MegaUpload Founder's Encryption Prescription

By Paul Sweeting

The Motion Picture Association of America and the U.S. Justice Department say they are still reviewing the details of the new encrypted online file-locker site Mega launched at an extravagant press conference yesterday in New Zealand by Kim Dotcom, the fugitive founder of MegaUpload. But one conclusion already seems clear: file encryption is poised to become the next major battleground in the ongoing struggle over online file-sharing.

 MegaUpload was once among the most popular file-locker sites on the Internet. But it was shut down a year ago by the FBI, which alleged the site was being used to store and share pirated content. Dotcom, who was born Kim Schmitz, was arrested by U.S. and New Zealand authorities in an armed raid on his compound near Auckland and charged with criminal copyright infringement. Since then, the Justice Department has been trying to have him extradited to face trial in the U.S. But his extradition has been on hold for months while the New Zealand courts try to determine whether the raid on his house was lawful, and if not then what to do about it. 

While that case remains pending, Dotcom and two partners are back, this time with a site that functions very much like the old MegaUpload but which automatically encrypts files as they’re uploaded by users, such that Mega has now knowledge of the file’s content. The system was essentially reversed engineered by lawyers from the Digital Millennium Copyright Act to try to shield Mega from liability or obligation for infringing material posted to the site.

Mega users choose their own password. That password is then used to generate the user’s login credentials when connecting with the service, as well as a unique encryption key used to encrypt a particular file. By design, Mega knows only the user’s login credentials, not the password used to generate them. Nor does it know the name of any file the user uploads, or have any way to access a decrypted version of any of those files, since both the file name and contents are encrypted using a unique key tied to the user’s password.

The ability to encrypt files online is not new, of course, and has been used by sophisticated copyright pirates for years. But it has required a certain amount of specialized knowledge. As Dotcom himself admitted at his press conference, however, the automated system employed by Mega “is going to take encryption out to the mainstream.” Within a few hours of Mega’s launch, in fact, it had lined up over 500,000 registrants worldwide.

The mainstreaming of encryption will likely leave anti-piracy groups with little choice but to challenge the practice, whether in a new case against Dotcom or against some other operator.

The key legal issue will be whether Mega’s carefully engineered ignorance of what its users are posting to its servers really protects the operator from liability. In the past, courts have held that online service providers are only required to remove infringing material under the DMCA when provided with particular knowledge of a specific infringing file. Mere awareness that infringing material is available on a site has not been enough for courts hold the site’s operator liable for secondary copyright infringement.

There are limits to that protection in the law, however, where a site operator willfully turns a blind eye to blatantly infringing behavior. So far, courts have granted service providers a lot of latitude on the willful blindness standard, depsite efforts by copyright plaintiffs to invoke it. But no one has gone as far before as Mega seems to have gone in deliberately engineering their own blindness into the design of a service. At some point, it’s likely to be up to the courts to determine whether it has gone too far.