As last week’s arrest of Megaupload owner Kim Dotcom emphasized, the main character in the SOPA/PIPA debate is the foreign thief. He’s everywhere—robbing Americans of their creativity, jobs, and money. Worse, he’s enjoying himself. As the Chamber of Commerce put it: “The criminals behind these sites are laughing all the way to the bank, stealing the best of American creativity and innovation at the expense of our jobs and consumers.”

[Strictly speaking, the top five pirated films of the year were Fast Five, The Hangover II, Thor, Source Code, and I am Number Four. It’s not a ‘best of’ list, exactly, but that’s a different story.]

Even most opponents of SOPA/PIPA maintain a common front on this issue: the foreign thief must be stopped. Chris Dodd is right about this: the only public debate is about how.

For the past few years, Kim Dotcom (nee Schmitz) been the MPAA’s go-to example of the foreign thief. Dotcom is a flamboyant hacker/entrepreneur with a fraud conviction, a penchant for fake names, and a fortune built, like many new media fortunes, in the grey areas of IP law. Megaupload was one of the first cloud storage or ‘cyberlocker’ services, and is routinely ranked in the global top 50 in traffic. There is little doubt that it hosted a lot of infringing media. There is doubt about the extent to which Megaupload encouraged this, and how that impacts charges of criminal infringement.

The Megaupload case has important legal implications. Mike Masnick has a very good rundown, but let’s focus on two. The case will certainly challenge the scope of the “safe harbor” from liability afforded online storage providers—a very important issue in an era of cheap, ubiquitous cloud services. It will also be a front in the government’s (and, more particularly, MPAA’s) push to shift from an ex post model of enforcement, involving notification and takedown requests when infringing content is identified, to an ex ante model based on the surveillance and filtering of user activity. If this sounds familiar, it’s because it is also fundamentally at stake in SOPA, and raises all the same censorship and free speech issues. Holding Megaupload liable for failing to monitor and filter user activity for infringement, for example, would compel monitoring across a wide range of web services, from search to social media. And that would mark a very fundamental shift in the freedoms associated with the Internet. SOPA and the Megaupload case are part of this long game.

The Megaupload indictment is also a public effort to cast a villain in the file sharing story: to prove that someone, other than consumers, benefits from piracy. Kim Dotcom’s arrest—with all of his luxury cars on prominent display—is about making the case not only for abstract losses to industry but also theft from industry. We’ve repeatedly taken issue with the industry calculation of losses, most of which are fictional. But let’s ask the narrower question. Who is the foreign thief, and how much is he stealing?

As usual when talking about piracy, there are lots of claims but very few hard numbers. The revenue estimates that do circulate in file sharing cases are notable, however, for their miniscule size compared to the 10s or, occasionally, 100s of billions in losses claimed by industry groups. Here are a few examples…

The Swedish trial of The Pirate Bay trial in 2009 became an occasion for all sorts of competing estimates of revenues. Record industry group IFPI estimated the site’s revenues at $3 million per year. The MPAA described $5 million in revenues. But prosecutors endorsed a much lower number: $170,000 from advertising (against what the defense characterized as $112,000/year in server/bandwidth costs and $100,000 per year in revenue). This is for a site that appears consistently among the top 100 visited sites in the world.

NinjaVideo, a Brooklyn-based movie indexing site whose owners were arrested in 2011, was alleged by prosecutors to have made $500,000 in 2½ years. After the site began to make money, the four administrators split the revenue, netting around $33,000/year each after expenses. Hana Beshara, the site’s primary owner, was sentenced to 22 months in prison under the US No Electronic Theft (NET) Act.

Brian McCarthy, the owner of Channelsurfing.net, a Texas-based sports streaming site, was alleged by prosecutors to have made $90,000 over five years. He also faces jail time and fines under the NET Act.

Immigrations and Customs Enforcement (ICE) made some partial revenue estimates for targets of its 2010 domain name seizure program, Operation In Our Sites, based on information from advertising network Valueclick. According to ICE investigators, Torrentfinder, a BitTorrent site, made about $15,000 in ad revenue from Valueclick over a year in 2008-2009. Onsmash, a music link site, made around $2,500 in 2009-2010.

The ICE numbers aren’t complete accounts, but they met the traditional definition of “commercial” copyright infringement that justified the criminal charge (US District Court Case # 10-2822). What they don’t do is describe a very lucrative or, in any other respects, criminal business.

This is a point we’ve made repeatedly regarding the incentives for criminal involvement in piracy. We see little evidence that there’s much money to be made from it—especially as the costs of setting up and running such sites decline. It’s very likely that the larger sites generate significant revenues from advertising—indeed even in the torrent admin community (see below) it’s assumed that the handful of top sites generate six and even seven-figure revenues annually. But at any given time there are only a few such sites. And even accepting the IFPI estimates, it’s chickenfeed. The top 5 pirated films, for comparison made $2 billion last year. The (non-overlapping) top 5 grossing movies made nearly $5 billion. Piracy generates an overwhelmingly consumer, not criminal, surplus.

It’s easy to see how Kim Dotcom got rich by being an early entrant in the cloud storage market, in the only part of the business that required a lot of large file transfers. (Much the same is true of broadband adoption, for which piracy has always been the early killer app—especially outside the US where legal web services are still underdeveloped.) As a subscription business selling a scarce commodity, Megaupload’s revenues were many times larger than the largest torrent or link sites. In 2010, execs at Paramount Pictures estimated (in testimony to Congress) its profits at between $41 million and $300 million per year, with the range reflecting different assumptions about its subscription rate. The Justice Department’s recent indictment put the number below the low end of the range—committing to only $175 million in total revenues since 2005–under $30 million/year–and reflecting a roughly 7-1 split between subscriptions and advertising. There are no estimates of how much of this came from legal sources.

In contrast, it’s hard to see how this model remains lucrative. Storage costs are falling rapidly, and there are no barriers to entry or significant network effects. For a comparable market, look to the highly competitive web hosting business rather than search engines or operating systems, which have more characteristics of natural monopolies. Many companies–including Megaupload–already give large amounts of storage away. Many compete for “premium” users, either with inducements or bundling with other services.

Source: Mike Ames

The sum of Megaupload’s activities may well satisfy a court that it encouraged large-scale copyright infringement, and therefore should be found guilty. But Megaupload’s survival is not the main concern: it’s what happens when all storage is mirrored in the cloud. It’s whether we’ll monitor and police the core features of the web: storage, linking, and search.

The Torrent Admins Survey

Now that the nerds have (provisionally) won the argument that DNS blocking could break the Internet, attention will turn to “follow the money” enforcement strategies—especially those targeting advertising and payment systems. We might ask, in this context, what “follow the money” looks like in a sector where there are few barriers to entry and costs are falling toward zero? To find out more, we prepared a short survey of torrent site administrators, which was circulated through torrent admin lists and IRC channels by some trusted intermediaries. We received 11 responses to our survey—most of them anonymous; most of them ‘vouched for’ by our partners; and most of them anonymized through various services. We neither asked for nor received identifying information. This is, in other words, a small sample with some big caveats (such as selection bias). Nonetheless, the responses tell an interesting story.

Responses came from a pretty wide spectrum of sites, including:

2 that receive over 10 million visits per month

2 that receive 2-10 million visits per month

2 that receive 500,000 – 2 million visits per month

2 that receive 25,000-100,000 visits per month

2 that receive less than 25,000 visits per month.

1 that did not specify traffic

To provide some reference points, the two current largest torrent sites—the Pirate Bay and Torrentz—receive roughly 88 million visits/month and 46 million visits/month respectively (according to Google Adwords. There are claims that this significantly undershoots traffic on those sites.) Although cyberlocker sites like Megaupload and Mediafire now outdraw torrent sites by a wide margin, the latter remain a good indicator of the cost structure—and costs of entry—of large scale file sharing. BitTorrent is now a thoroughly commoditized technology, running on low cost hardware with freely available software. Cyberlockers are slightly further behind.

How much does running a torrent site cost? The largest site in our survey, with over 10 million visits per month, was also the most expensive. It reported server and bandwidth costs of $25,000-$30,000 per year. Most of the sites operate on less than $10,000 per year. A couple of the smaller ones were under $3,000.

How much money do these sites make, and how? Of the eleven responses, only the largest site used advertising. It reported a roughly break-even operation, with costs covered in most months by ads. The other ten do not use advertising. These are typically the smaller, private trackers that require invitations to join—a category that nonetheless reaches into the millions of visits per month. Eight indicated that they meet the majority of their expenses through member donations. Only one indicated that it fully met expenses this way. Only one earned additional income through affiliate links. The balance typically comes out of the pockets of the site administrators.

Although we received less information on staffing, several indicated that they operated entirely with volunteer labor—in a couple cases involving communities of a dozen or more administrators. This is the norm among smaller, private sites.

The picture that emerges from the survey is one of financially fragile but low cost operations, dependent on volunteer labor, subsidized by users and founders, and characterized by a strong sense of mission to make work more widely available within fan communities. Few such sites make or seek to make money. Many are specialized communities exchanging media of particular types, genres, or languages. A site like NinjaVideo began this way, but grew into a larger, revenue-making operation.

Rights holder pressure on payment systems is not new, but it has been ad hoc. Credit card companies were enlisted in the mid 2000s, when the record industry group IFPI waged war against the (nominally legal) Russian pay-download site AllofMP3. Industry threats against safe harbor provisions for payment providers played an important role in this process. No payment provider wants to tangle with industry lawyers on behalf of an accused infringing site, even if there is no legal basis for cutting off service. Few accused sites are able to lawyer up to respond. Strict legality doesn’t make much difference in such contexts. One site administrator showed us a letter from a payment provider terminating service based on a DMCA complaint—a law that makes no such provisions.

SOPA and PIPA legalize these strategies and make them much easier to use. Under SOPA, rights holders gain a strong right of “private action” that allows them to issue cut off letters directly to advertising services and payment systems. The latter must cut off service or face secondary liability for infringement. Under SOPA, moreover, neither the payment system nor the rights holder is liable for damages from any mistaken or overly broad actions. The “safe harbor,” under these circumstances, is repurposed to empower the complainant rather than the user.

Independent of the potential for collateral damage, SOPA and PIPA are best understood as collections of harassment measures for pirate sites, rather than any sort of “solution” to piracy. A loss of advertising revenue would harm some file sharing sites—especially the larger, more public sites that have grown into advertising-dependent commercial operations. The loss of primary payment systems such as PayPal would complicate life for the smaller torrent sites, but wouldn’t cut off revenues: there are many ways to manage the modest donation systems that keep these sites in business.

Some parts of the file sharing ecology, consequently would be vulnerable to payment system attacks. But the overall impact is likely to be low. Much of the file sharing ecology already operates at very low cost, on minimal revenue. Much of the labor is volunteer—with advertising and the “professionalization” of staff a matter of choice rather than necessity.

We talk about the efficacy of enforcement at some length in our Media Piracy report. Many readers have concluded that enforcement doesn’t work. But that isn’t what we say. We say, rather, that we’ve found no evidence that it has worked. The main factors shaping piracy are price, income, and the declining cost of technology–and that will remain the case. But it seems entirely possible that some impact can be bought at a high enough price. The numerous critiques of SOPA and PIPA provide a good idea of that price—a broken, arbitrary, copyright surveillance regime and an Internet culture reorganized around the established content providers.

The Commercial Scale Standard

In most national copyright laws, criminal law applies only to copyright infringement on a “commercial scale.” Traditionally, commercial scale referred not to the number of copies made, but to financial benefit derived from it. (Infringement that doesn’t meet the criminal standard can still be addressed through civil law, as tens of thousands of file sharers in the US and Europe have learned.) In the past 15 years, digital technologies made a mess of this distinction. When copying was capital intensive and required a factory, scale and profit went together. But in an era of ever cheaper copies and storage, the two are delinked. What to do, then, with the commercial standard?

The US response in the 1997 NET Act was to expand the definition of commercial infringement to include the unauthorized digital receipt of anything of value, subject to an exemption up to $1000. Without the for-profit requirement, the door opened—in theory—to criminal prosecution of a much wider array of participants in file sharing. The exchange of a bunch of albums or a few copies of software can easily qualify. In practice, the NET Act has been applied not to consumer-level sharing, but to intermediaries—initially members of mostly non-commercial “warez” groups engaged in cracking software, and more recently to marginally commercial intermediaries like Hana Beshara and Brian McCarthy. (The expanded criminal model is also being exported abroad without the de minimis exceptions, through trade agreements and new enforcement treaties like ACTA).

In our view, this is a bad way to resolve the confusion around the commercial standard. It dramatically expands criminal liability without any corresponding intention of enforcing it. Law enforcement, under such circumstances, becomes arbitrary and easily captured by private parties. Industry lobbying secures funding for enforcement agencies and enforcement agencies return the favor, turning to stakeholders for staffing, planning, and cost sharing. Personnel flows between the two, anchored in the understanding that government service is rewarded later in the private sector. The US Attorney leading the Megaupload case, for example, is Neil MacBride, former head of enforcement for the Business Software Alliance. The Obama transition brought at least five RIAA lawyers to the Department of Justice. The Megaupload indictment, both in its tone and its kitchen sink approach to infringement, could have been written by the MPAA. The distinction has become a formality.

So what to do? As long as we have a culture organized around copyright, there should be ways to define and police violations of it. But our current definitions need a rethink. There is ample reason to see unauthorized copying and file sharing as inevitable in the digital era and more–as inextricable from the core features of general computing and the Internet. The law should recognize this because doing so protects the wider set of freedoms to express and innovate that build on those features. Both individuals and companies should be accorded wide latitude in their use. That said, there is no reason to defend piracy as a profit-making activity.

So one place to start might be to ditch the NET Act and SOPA and restore a narrower commercial scale standard for criminal infringement, along with a less draconian set of penalties for the times when it is invoked. Such a standard would make profit the trigger, and make that the basis for any follow-the-money actions against payment systems or advertisers. This bar could be set high enough to exempt the marginal member-subsidized torrent sites, since these are little more than group implementations of search, store, and link–the building blocks of the web. They cost little today and less tomorrow.

But the bar could also be low enough to encompass sites that start to generate a lot of money. Drawing such distinctions could help restore a useful middle ground—retaining a threshold for enforcement while rejecting both the universal liability envisioned in the Net Act and the universal surveillance implied in SOPA. It would better align the law with the actual capabilities of law enforcement to enforce, and thereby make enforcement less arbitrary. And it would help articulate a much wider zone of personal freedom to copy, based on a recognition of the wider importance of unhindered, unmonitored use of the core capacities of the web.

A reinvigorated commercial standard won’t end piracy. Nothing short of a copyright surveillance state would, to any significant degree. But the commercial standard would help drive file sharing into the non-commercial economy, leaving more room for creative, legal, low-cost commercial alternatives. That’s not a sufficient definition of copyright reform, but it may be a necessary step if we’re to bring law into line with the basic economics of our digital culture. The law can’t eliminate piracy, but it can help make it irrelevant.

Addendum: Regarding the monetary harm of Megaupload’s activities, the Justice Department characterized it, without explanation, as “well in excess of $500,000,000” since 2006. And although that number is probably meant to impress, it’s somewhat baffling. Even without a per annum breakdown, it comes nowhere near the annual piracy losses claimed by the major industry groups—whether the BSA’s $58 billion loss claims for software losses in 2010 or the “conservative” $26 billion estimate for movie, music, and software piracy from 2007, which lazy journalists still allow to circulate. This for the site that MPAA called “By all estimates… the largest and most active criminally operated website targeting creative content in the world.” Since we’re using made up numbers here, let’s make up some more–and for the sake of argument, some extremely favorable ones for the Justice Department’s effort to paint Megaupload as the big bad. Posit that all $500 million in losses came in 2011. Posit the $26 billion loss number. Megaupload’s contribution to the pirate economy tops out at 2%.