Motion Picture Association – Written evidence (FDF0068)
Motion Picture Association (MPA) submission to the Lords Select Committee on the Fraud Act 2006 and Digital Fraud inquiry
The MPA welcomes the opportunity to respond to the call for evidence from the House of Lords Committee on the Fraud Act 2006 and Digital Fraud. We are grateful for the chance to share our views on what actions should be taken to tackle the increase in cases of fraud, and in particular fraud committed through digital services. We believe that MPA’s extensive experience of tackling digital piracy, including successful UK prosecutions which often rely on the Fraud Act 2006, have given our forensic investigators an intimate knowledge of both how cybercriminals operate, what facilitates their activities, and most importantly what legislative measures may hinder their online operations, thus reducing harm to both businesses and consumers.
About the MPA
The MPA is the international trade association for the major companies that invest-in, produce, distribute and market film and television content in the UK: Walt Disney Studios Motion Pictures, Netflix Studios, LLC, Paramount Pictures Corporation, Sony Pictures Entertainment Inc., Universal City Studios LLC, and Warner Bros. Entertainment Inc. MPA member companies represent a key part of the UK film and television industry, both as significant inward investors and with a strong permanent presence in this country. The products and services of the film and television sector are important contributors to the success of the UK’s high-growth, intellectual property-rich creative industries, which (even during the coronavirus pandemic) contributed £104bn in GVA and almost 2 million jobs to the UK economy in 2020.
Copyright (a type of intellectual property (IP) right) is the bedrock of the success of the UK’s creative industries, as it allows creators of all forms of creative content, including audiovisual content, to exploit and generate revenues from that content, allowing a return on investments and subsequent investment in new content. The MPA works globally, in partnership with governments and law enforcement, to defend copyright against digital piracy and protect audiovisual creators and consumers from the economic and personal harms it causes, including through consumer education campaigns.
Annex 2 – Creative Industries Council KYBC Briefing Paper (September 2021)
“Know Your Business Customer” obligations
A briefing paper for UK policy makers from Rightsholders on the Creative Industries Council
Many larger rightsholders in the UK have extensive experience using the tools available under UK law to attempt to trace the operators of illegal services that trade in pirated content and counterfeit goods.
But these efforts are increasingly thwarted by the ability of illegal operators to provide commercial services online under a cloak of anonymity, from anywhere in the world. Even where, after lengthy investigation, intermediaries supporting illegal services are identified and contacted (e.g. cloud, hosting and related infrastructure services), investigations often hit a dead end. The reason is that the intermediaries cannot supply any information that allows for the verification of the illegal service provider. Or the information they can provide is clearly false.
In too many cases, UK-based and overseas intermediaries who sell illegal operators the tools to operate their illegal businesses online simply don’t know the identity or whereabouts of their own business customers, and are not incentivised to find out.
Both sides are presented with no risk for non-compliance, while the public, including UK rightsholders and consumers, bear the cost of the resulting proliferation of illegal and harmful content online.
Unmasking the true identity of the operators of illegal and harmful online services would lead to a reduction of such content online and would greatly facilitate consumers’ and business customers’ efforts to seek redress in respect of it.
The absence of accurate data about the identity of business customers also inhibits the ability to implement meaningful repeat infringer policies. It allows malicious actors to take advantage of companies that would otherwise be enforcing more responsible methods of addressing infringing behaviour.
An obligation on operators of online services to disclose their identity actually already exists: Article 5 E-Commerce Directive (ECD) as transposed into UK law by the Electronic Commerce (EC Directive) Regulations 2002 (E-Commerce Regulations), establishes that service providers shall render easily, directly and permanently accessible to the recipients of the service and competent authorities identity information, including:
The above information should allow the operators of harmful and illegal services to be located and contacted rapidly and communicated with in a direct and effective manner. The problem is that commercial entities that intentionally distribute illegal and harmful content obviously choose not to comply with this obligation.
Introducing a KYBC obligation on intermediaries that provide internet services to others would require those intermediaries to ascertain and verify the identity details of their commercial customers, irrespective of their location, before any business can be conducted between the two. This would result in a real, tangible and complementary solution to the problem of non-compliance and fulfil the intent of Article 5 ECD, whilst creating a safer online environment with minimal burdens on legitimate businesses.
As the UK has left the European Union, we believe that the UK Government now has a perfect opportunity to exercise its sovereignty and close this loophole, thereby improving upon retained EU law and, in doing so, actively to support the UK’s Creative Industries which, prior to the pandemic, were growing at five times the rate of the economy as a whole and across all UK nations and regions.
Rightsholders face two problems when trying to identify the operators of illegal websites: firstly, operators of illegal websites simply choose not to comply with the current obligation resulting from the UK E-Commerce Regulations, i.e. that all service providers should make their contact details available on their websites; secondly, that intermediaries fail to obtain reliable contact information from their business customers, which include the operators of illegal sites.
Under EU (Article 8 Intellectual Property Rights Enforcement Directive – IPRED) and UK law, courts can order intermediaries to reveal the identity and contact details of the infringer of IP rights. Unfortunately, the intermediary is often unaware of, and unwilling to establish, the identity of the business customers to which they provide services. Under existing law, they face no consequences for failing to obtain this information.
In a flagrant contradiction to this, certain intermediaries are knowingly passing on the personal details of rightsholders, using platforms’ reporting services, to infringers leading to serious and harmful consequences for individuals following up on infringements.
This status quo enables operators of scam websites seeking to defraud consumers, as well as operators of online services illegally distributing gambling, pornography, and other illegal and harmful content, to freely serve UK consumers, using UK and EU-based infrastructure, with an impunity borne of complete anonymity.
To illustrate the extent and seriousness of the problem a number of case studies, reflecting a range of sectors across the Creative Industries, are provided at Annex 2.
When considering the categories of intermediary to be covered by KYBC obligations, it is necessary to find the right balance, recognising that the operators of sites and services distributing scams or illegal content are using a wide range of intermediaries in order to operate.
Against this background, we propose that KYBC obligations should be applicable to the full range of services that enable the possibility of operating an information society service covered by the E-Commerce Regulations. These would include, for example:
For the avoidance of doubt, privacy protection companies should not suffice/be considered to be an individual customer for KYBC, i.e. they should have their own KYBC obligations and not act as a shelter for malicious actors.
KYBC obligations impose minimal or no burdens on legitimate businesses, all of which are easily identifiable.
Making a defined set of intermediaries responsible for collecting data to confirm the identity of business entities with whom they are directly contracting and who need their services to perform their online business activities - and verifying that data - should be easy to implement as part of the sign-up process and subsequent periodic re-verifications.
In the event the intermediary fails to, or is unable to verify the identity of its commercial customer, it will have to stop providing the services to the respective customer, which would provide an important disincentive against illegal or harmful activity.
Legislating to implement KYBC obligations would represent a codification of practices already adopted by a small number of the most responsible online players. Unfortunately, such practices are very widely ignored and there is a strong case for harmonisation.
It is important to underline that the KYBC obligations proposed do not affect the liability privileges in the E-Commerce Regulations but create new and direct obligations on certain categories of intermediaries. Dissuasive financial penalties should be introduced for non-compliance.
ANNEX 1 – RIGHTSHOLDER SIGNATORY ORGANISATIONS
This paper is submitted on behalf of the following rightsholder organisations on the IP subgroup of the Creative Industries Council:
ACID – Anti-Copying in Design
BASE – British Association of Screen Entertainment
BFI – British Film Institute
BPI (British Phonographic Industry) Ltd
British Fashion Council
English Premier League
Featured Artist Coalition
Motion Picture Association
ANNEX 2 - INDUSTRY CASE STUDIES
The following case studies evidence the harm caused by identity concealment in online business interactions across the UK’s Creative Industries. As well as clearly demonstrating economic harm, some examples also show how serious personal harms flow from economic harms, such as online piracy. Both types of harm are actively facilitated by a lack of transparency in the current system that can be easily rectified.
Publishers Association: File-sharing Websites
(example: ‘Shadow’ Library Genesis)
The Publishers Association is a member organisation for UK publishing, representing companies of all sizes and specialisms. Its members produce digital and print books, research journals and educational resources across genres and subjects.
Library Genesis is one of the most notorious pirate site networks harming members of the Publishers Association. It is listed on the European Commission’s Piracy and Counterfeiting Watch List, and the site - plus several Library Genesis-linked sites - have been subject to 97a siteblocking in the UK.
Library Genesis offers illegal copies of copyrighted books (trade and academic), scientific journal articles, magazines, and other printed materials, frequently in cooperation with Sci-Hub, another notorious pirate site listed on the European Commission’s Piracy and Counterfeiting Watch List.
The Library Genesis network has existed since 2008, yet the operators remain unknown. This is despite publishers’ extensive efforts to enforce their rights, including civil litigation resulting in permanent injunctions against the site and its service providers, subpoenas to service providers, and multiple UK and EU siteblocking actions.
Library Genesis remains active to this day. The lack of a KYBC requirement has impeded publishers’ efforts to hold the operators responsible for the infringement or otherwise end the infringement. The civil litigation and site-blocking efforts have resulted in ever-changing domain names and hosting providers, with no end to the piracy in sight.
Anti-Counterfeiting Group: Online Marketplaces (example: WISH)
The Anti-Counterfeiting Group (ACG) is a not-for-profit trade association respected as one of the world’s leading specialists in the fight against the growing global trade in counterfeit goods. ACG represents its UK and EU members on the global stage, who together make up over 3,000 of the world’s most prestigious brands.
WISH is an online platform, owned by WOWCHER, that offers products to consumers at huge discounts. Most of the goods sold on WISH have been identified as “suspicious” due to its pricing structure and the location of sale.
Moreover, test purchases by numerous ACG brands have evidenced the availability of counterfeits on the platform. Trader details are anonymised and payment for goods proceed via WOWCHER, making it very difficult to track and trace the actual seller.
Similar activities are regularly carried out on online marketplaces such as Etsy, Amazon and eBay, all of which are popular with counterfeiters. The implementation of KYBC obligations would
BAPLA: Social Media (example: Instagram)
The British Association of Picture Libraries & Agencies (BAPLA) represents over 115 picture library and agency members, providing the main source of licensed images seen every day in print and digital media, who in turn represent some 120,000 professional photographers, videographers and illustrators, many of which are SMEs or sole traders.
A report on online infringement published by BAPLA in November 2019 showed:
In addition to these figures BAPLA is all too aware of the personal harm that can flow from economic harms, such as copyright infringement. Recently the organisation was alerted to a particularly serious incident of personal harm by a contributing photographer.
The case that follows exemplifies the need for a requirement for commercial entities, such as social media platforms, to reveal anonymous users in cases of commercial exploitation of copyright works.
Several social media platforms inform rightsholders, who report infringements, that the platforms pass on the rights owner's name, email address, and the nature of the report, to the person who posted the content.
There is no obligation in such cases for users to reveal their identities reciprocally, nor any liability placed on these types of online intermediary to address the issue. This is a situation which can, and must, change.
Getty Images UK: Online Marketplaces (example: eBay)
BAPLA member, Getty Images UK, demonstrated in its recent evidence to the EU’s Digital Services Act consultation that it is common to find third party sellers on online marketplaces who repackage and sell their copyright protected content without authorisation.
For example, a search on eBay (US), conducted on 5 September 2020 for the word “istock” - a registered trademark owned by Getty Images - returned multiple listings for users selling “any stock image” for well under market prices, including listings by commercial sellers who Getty Images had previously reported to the marketplace. Although eBay acted to remove the reported listings, the same seller brazenly relists shortly thereafter and eBay takes no additional action to stop this behaviour.
The introduction of KYBC procedures by online intermediaries, including online marketplaces, would act as a significant deterrent to such repeat infringers.
FILM & TV
Motion Picture Association EMEA: File-sharing websites (example: Openload)
The Motion Picture Association (MPA) represents the interests of the film, television, and streaming industry around the world. Its members distribute some of the highest quality and most popular audiovisual content and represent a key part of the UK film and TV industry, both as significant inward investors and with a strong permanent presence, including owning major UK production companies and facilities.
The MPA has extensive experience using the tools available under UK and EU law to attempt to trace the operators of illegal services. A high-profile example is Openload, a notorious pirate service that was listed on the Commission’s piracy and counterfeiting watch list. Openload also provided back-office services for scores of websites on the UK Police Intellectual Property Crime Unit’s Infringing Website List.
After a multi-year, resource-intensive investigation by MPA, this service was revealed to be hosted in and operated from within the European Union (EU), with infrastructure from EU service providers. When the MPA obtained a court order directing the EU hosting provider to identify its customer for Openload and two other pirate services, we hit a dead end: the listed customer was a defunct Hong Kong shell entity. The hosting provider admitted, despite having collected more than €19M in hosting fees, that:
“The data communicated by our client are purely declarative. [Host] therefore does not possess any element permitting verification of authenticity.”
The introduction of KYBC obligations in the UK would address this failure by forcing UK-based intermediaries to know exactly who their business customers are. In MPA’s experience, concerted action on transparency in the UK and EU would have the added effect of significantly degrading the quality of the infringing services that pirate operators based overseas can provide to UK consumers by forcing them to use lower quality infrastructure based outside of Europe.
BPI: Proxy Servers (example: Unblockit & Cloudflare)
The BPI represents the UK’s recorded music industry, championing the interests of small independent music labels alongside major record labels. As part of its work to protect the value of creative content and the livelihoods of UK music artists, BPI regularly comes up against websites such as Unblockit.
Unblockit is a Multi-Site Proxy Aggregator, acting as a signpost guiding ordinary users to websites that are blocked in multiple countries. In 2020, Unblockit was visited over 85 million times from the UK, in spite of the fact that many pirate brands it features are blocked under section 97 of the UK’s Copyright, Designs and Patents Act.
Unblockit represents a particularly egregious example of ‘domain hopping’, i.e. the practice of relocating (hopping) to new domains to avoid being penalised. In the absence of KYBC requirements, pirate site operators can register as many new domains as they like, in perpetuity. When enforcement activities are implemented – be it ISP blocking, search engine delisting or otherwise – Unblockit and sites like it simply move to a new domain, as shown in the graph below.
To obscure its activities even further, Unblockit uses Cloudflare, a service that sits between the users and the server where the site is hosted.
Services like Cloudflare exacerbate the problem of domain hopping by masking the IP address of the hosting server, which complicates the investigation process. 75% of the sites currently being blocked at ISP level or de-indexed from search engines by BPI are registered with Cloudflare. Cloudflare has no KYBC procedures in place, which means that, even if they do suspend their services for a given domain, the site operator can immediately register a new one.
Unblockit is just one example of many sites which adopt the practice of domain hopping and rely on Cloudflare to circumvent and delay enforcement action. Indeed, domain hopping greatly benefits from the lack of enforcement of the current E-Commerce Regulations and has become an integral part of the business model of pirate sites. Government intervention is needed urgently to properly enforce the existing E-Commerce Regulations and ensure the effective delivery of industry-wide KYBC procedures.
BPI: Online marketplaces (example: eBay)
BPI also has extensive experience dealing with sellers of unlicensed music on eBay. In 2020, BPI removed 53,000 listings from online marketplaces, and 38,000 of these were from eBay.co.uk.
Sadly, it is a game of whack-a-mole, with a continuous repopulation of infringing listings by the same seller or different sellers, often suspected to be the same individual(s). In fact, 13% of the listings removed from eBay in 2020 resurfaced under different listing IDs or seller accounts.
This repopulation was also observed while scanning the platform for unauthorised 2020 Record Store Day (RSD) releases, some of which reappeared on eBay just 24 hours after they had been removed. This event supports independent record stores, which have suffered terribly from the COVID-19 pandemic and subsequent lockdown measures, making this kind of flagrant infringement even more damaging in this context.
There is currently huge disparity in the way KYBC procedures are interpreted and implemented by different platforms. This can result in a concentration of infringement on platforms, such as eBay, where verification of sellers is insufficient, ineffective, or simply not taking place at all.
An effective KYBC verification system would ensure that offenders face real-world consequences and would deter them from re-listing infringing content under the same or different accounts.
Premier League: Internet Registries (example: Network Dedicated SAS & RIPE NCC)
The Premier League is the undertaking which organises and administers the Premier League football competition in England and Wales. The Premier League controls, amongst other things, the worldwide audio-visual rights to each Premier League match and is solely responsible for the licensing of the live audio-visual rights to all such matches in territories around the world. It works proactively and constructively with its Member Clubs and the other football authorities to improve the quality of football, both in England and across the world.
As part of an extensive global anti-piracy and IP protection programme, the Premier League frequently carries out detailed investigations to identify those responsible for providing unauthorised live streams of Premier League matches. This includes the organisations responsible for providing servers and Internet Protocol addresses that enable the delivery of illegal live streams of Premier League matches by pirate operators around the world.
10 May 2022
 Oxford Economics report for the Creative Industries Federation, July 2021 (accessible here).
 See examples of UK education campaigns supported by MPA here, here and here.
 See The Royal United services Institute’s 2021 “Taking the Profit Out of Intellectual Property Crime: Piracy and Organised Crime” report (accessible here).
 See coverage of FACT’s successful prosecutions here, here and here.
 See Europol’s “Internet Organised Crime Threat Assessment 2020” (accessible here).
 A more detailed MPA briefing explaining ‘Piracy-as-a-Service’ is available on request.
 The US’s Digital Millennium Copyright Act 1988 provides a ‘notice and takedown’ tool to help copyright holders get infringing user-uploaded content removed from websites.
 See Digital Citizens Alliance & White Bullet’s August 2021 report “Breaking (B)ads: How Advertiser-Supported Piracy Helps Fuel A Booming Multi-Billion Dollar Illegal Market” (accessible here).
 In this context ‘malware’, in addition to ‘malvertising’, included ‘Browser Hijackers’, ‘Keyword Loggers’ for hacking usernames and passwords, and ‘Trojan viruses’ used to steal data.
 See RUSI’s March 2021 “Taking the profit out of intellectual property crime: piracy and organised crime’’ report (accessible here).
 See Regulation 6 “General information to be provided by a person providing an information society service” (accessible here).
 The UK opted out of transposing the 6th Anti-Money Laundering Directive (due 13 December 2020) only because most of its requirements are already covered by existing UK law. Registers established in the UK prior to the end of the transition period will remain (Source: https://www.lawsociety.org.uk/en/topics/brexit/anti-money-laundering-after-brexit).
 We note in this regard the government’s intention, as expressed in its Corporate Transparency and Register Reform White Paper, to reform the powers and role of Companies House “with the ambition of being the most innovative, open and trusted registry in the world” and in so doing “boost Companies House capacity to combat economic crime.” We understand these reforms will be introduced in the upcoming Economic Crime Bill in the 2022-2023 parliamentary session.
 See https://www.gov.uk/government/publications/ip-counter-infringement-strategy-2022-to-2027/intellectual-property-counter-infringement-strategy-2022-to-2027
 For GVA and employment data please see: Oxford Economics report for the Creative Industries Federation, July 2021:
 Ibid, p. 7. The Creative Industries (CIs) contributed £111.7bn to the UK economy in 2018, a 43.2% increase in real terms since 2010. Between 2017 and 2018, the CI GVA grew by 7.4% in real terms, which is more than five times the growth rate of the UK economy as a whole. In employment terms, the CIs employed 2.10 million people in 2019, an increase of 34.5% from 2011.
 Please see British Association of Picture Libraries & Agencies case study in Annex 2 - Industry Cases Studies: Images.
 The Anti-Counterfeiting Group offers examples of KYBC best practice for intermediary operators as follows:
 BAPLA Research into Online Copyright Infringement, November 2019 https://bapla.org.uk/bapla-releases-its-first-online-copyright-infringement-report/