In one of the first cases of its kind in India, YouTube was recently taken to Court by TataSky for hosting videos that taught people how to circumvent the encryption on the latter’s Set-Top-Boxes (STBs). The procedural history of the case is slightly confusing, as I explain below, but the important provisions are Section 66 of the IT Act and Section 65A of the Copyright Act, the latter being the provisions protecting Technological Protection Measures. [Long post ahead]
The videos in question were apparently tutorials showing users how to crack the encryption on TataSky STBs to watch to access HD content they had not subscribed to and not paid for. This is, to my knowledge, the first case to comment on such content. The only other related case that I am aware of is an order passed by the DHC against forumfuns.com in 2015, cited in this case, though that is quite lacking. (If any of our readers know of other cases on this issue, please do comment and let us know!)
The case history is slightly confused, which in part led to delays, and I hope I’m getting it right. In fact, the Court noted that if not for the confusion, the case need not have been filed at all.
The dispute started with a complaint from TataSky to YouTube alleging a violation of Ss. 66 of the IT Act, for hacking, along with Ss. 107 and 109 of the Penal Code, by certain video(s) on the latter website, and requesting their removal under the Intermediary Guidelines. Later correspondence led to YouTube suggesting to TataSky that it frame it as a ‘circumvention of technological measures’ complaint. When TataSky did so, YouTube replied with questions regarding the copyright that was being infringed, the TPM in question, and how the content in question covered its circumvention.
TataSky then filed the suit in question for an injunction against trademark violation and the hosting of videos that taught how to hack into their STBs, and managed to get an interim injunction in its favour TataSky argued that there had been an ‘unacceptable delay’ on YouTube’s part, and that their terms and conditions were insufficient to deal with such issues.
The Court notes here that the suit in part caused by YouTube’s early confusion in the categorisation of the issue with the content, rather than its actual consideration. YouTube stated that it would update its policy and respond to such complaints from TataSky quickly, and the matter was disposed of by the Court by making the interim injunction absolute.
The Court specifically clarifies at paragraph 24 that the liability against YouTube arose not because of any trademark violation on its part, but for hosting videos that were ‘required to be taken down’. Presumably, these are the videos that allowed for ‘circumventing technological measures’, or as the interim injunction puts it, “[videos which] sought to prove any methodology or trick to hack into the system of the plaintiff or to access the plaintiffs services” and violated TataSky trademarks.
The Court notes that “Tata Sky pointed out that this was violative of its rights and of broadcasters who own the HD content broadcast through Tata Sky Platform and was an offence under Section 66 of the IT Act.” (emphasis added) It goes on to say that “In determining it to be a complaint regarding ‘circumvention of technological measures’ which is defined as an offence under Section 65 A of the Copyright Act, YouTube’s review team appears to have got into a bind about correctly ‘categorising’ it instead of actually taking a call on whether the nature of the content required taking down. If it had focused on the latter aspect the need for Tata Sky to have approached this Court for relief could have been avoided.”
The Court is here unclear on whether the videos were to be taken down as they were in violation of S. 65A of the Copyright Act or of S. 66 of Information Technology Act, though the latter is the more logical interpretation of its support of TataSky’s original position. It states, however, only that under Rule 3 (1) (e) of the Information Technology Intermediary Guidelines, YouTube cannot host any content that “violates any law for the time being in force.”
S. 66 of the IT Act read with S. 43 makes it an offence to ‘hack’ into a secured system. It can be argued that a video showing how to hack into the secured TataSky system would violate S. 66 read with Rule 3 (1) (e), and therefore should be taken down. A violation of S. 43, however, requires that someone access a computer system “without [the] permission of the owner or any other person who is incharge of [it]”. If the alleged violation is under these provisions, it implies that the ‘owner or person incharge’ of the TataSky STBs is TataSky, and not the TataSky subscribers who actually use the STBs.
As I had noted in an earlier post, this issue came to the fore recently in the US where taking such a provision to its extreme conclusion restricted even owners of products with TPM protection from tinkering with the software that was installed on their products even if this was in order to repair it. If the owner/person-in-charge of the STBs is TataSky, what are the rights of the subscribers to the STBs that they have legitimately purchased?
Since the Court has not considered the question of ‘infringement’, the violation it sees is arguably that of S. 66 of the IT Act, and not S. 65A of the Copyright Act. S. 65A limits the protection accorded to TPMs only to ‘effective TPMs’ – though ‘effective’ remains undefined – which only protect rights conferred by the provisions of the Copyright Act, and require an ‘intention to infringe’ as well. Section 65A, therefore, states that that the protection accorded to a TPM should be restricted only to where it protects the legitimate rights of the copyright owners under the Copyright Act.
TPMs are a delicate issue with potentially wide-reaching consequences, especially since we are moving into a subscription-economy rather than a purchase-economy. In this case, the protection accorded by the Court to the TPM here would seem to overbroad. What happens, for instance, to white hat hackers and security professionals, who test the protection of various technologies? With the wide interpretation of the Court, the act of circumvention itself, even by such professionals, would be a violation of S. 66. While of course S. 66 read with S. 43 provides for the ‘person incharge’ giving permission, the ‘permission’ requirement is somewhat tricky when it comes to white hat hacking. In a lot of cases, independent security researchers do their work without direct authorisation, bringing vulnerabilities to the attention of the owners when they find any.
Furthermore, if videos providing such content qualify as illegal content such that intermediaries are required to take them down, does this extend to books and articles as well? If yes, would it also cover books or videos about cryptography or encryption that discuss the flaws and vulnerabilities of such methods? To put it differently, where does the protection accorded to TPMs stop?
This is arguably why S. 65A of the Copyright Act limits their application as it does – the same limitations that are lacking here. Along with the limitations noted earlier, S. 65A (2) incorporates ‘fair dealing’ and other exceptions. S. 65 (b) exempts, for instance, “doing anything necessary to conduct encryption research using a lawfully obtained encrypted copy”, relevant for white hat hacking. The Court seems to fail to note that there can be legitimate reasons for the circumvention of TPMs. These issues could have been discussed in more depth. YouTube’s initial approach, of categorising this as an “alleged circumvention of technological measures”, would arguably have been the right step.
However, it must also be noted that a S. 65A violation would have been difficult to establish. S. 65A doesn’t provide for liability for ‘showing how to circumvent’ TPMs, if the person doing the circumvention does not ‘infringe’ on the rights protected by the Copyright Act. The proviso to S. 65A only mentions that such ‘facilitators’ must keep records, but then the question is, who is the ‘facilitator’ – YouTube, or the creator of the videos? Secondly, what is the penalty for such a ‘facilitator’ who fails to keep records? And it is still unclear whether these videos would then be ‘unlawful content’ under S. 65A if the person making the video can be argued to have no ‘intention to infringe’.
The jurisprudence surrounding these provisions needs to be developed carefully, learning from the experience of other jurisdictions. There is much clarity needed on this issue, but while this case represents nascent steps in Indian TPM jurisprudence, it fails in making it any clearer.
My thanks to Swaraj for his inputs on this post.