For the third time in about a week, cybersecurity law-and-order news includes a criminal case that’s been brewing for more than a decade.
This time, the news is prison sentences for two of the main four original defendants in the infamous Megaupload saga.
If you weren’t following cybersecurity a decade ago, we’ll recap directly from the article we published at the time of the site’s takedown by the FBI in early 2012:
Megaupload’s larger-than-life founder, who these days answers to the name Kim Dotcom, certainly likes to show off.
He and his crew ran a bunch of swanky, top-of-the-range cars with in-your-face number plates such as GOOD, EVIL, MAFIA, HACKER, STONED, GOD and GUILTY.
But whether Dotcom turns out to be GUILTY or GOOD, he’s certainly in a lot of trouble right now. He was arrested at his sprawling mansion home in New Zealand last week [January 2012]. If the FBI gets its way, he’ll be extradited to the USA to be charged with a whole raft of offences.
Mr Dotcom, apparently born Kim Schmitz, isn’t just facing copyright offences, but is also charged with conspiracy to commit racketeering and money laundering.
The short version of FBI’s beef with Megaupload, or the Mega Conspiracy as the FBI describes it, is that the organisation generated revenue primarily as a side-effect of encouraging and rewarding the large-scale uploading and downloading of stolen content such as movies, music and complete TV shows.
Megaupload fans would say, “So what?”
Google’s search engine, they say, often links to infringing material, which lets it make money out of adverts surrounding dodgy online content.
Google’s YouTube video site, say file-sharing enthusiasts, offers bucketloads of unlawfully ripped videos and audio tracks, and unashamedly makes money from links to legitimate sites served up whilst doubtful videos are playing.
And as for Kim Dotcom’s eye-watering spending on fancy cars, didn’t Google’s founders do a deal with NASA to park their private Boeing 767 at Moffett Field?
Therefore, an inveterate sharer might argue, Megaupload and Google are just two sides of the same coin.
The FBI and the US courts disagree.
The affidavit lodged against the so-called Mega Conspirators paints a different picture: “In contrast to legitimate internet distributors of copyrighted content, Megaupload.com does not make any significant payments to the copyright owners of the many thousands of works that are willfully reproduced and distributed on the Mega Sites each and every day.”
The Mega Conspirators
Four men were identified as the chief movers-and-shakers in the Mega Conspiracy all those years ago.
There was the abovementioned larger-than-life Kim Dotcom, along with Mathias Ortmann, Bram van der Kolk, and Finn Batato, depicted here in silhouette at the founding of their followup company Mega, which cheekily launched on the anniversary of kim Dotcom’s larger-than-life arrest:
Batato, sadly, died of cancer in 2022.
Ortmann and van der Kolk challenged extradition for many years, but finally agreed to a deal where they’d be spared extradition in return for being charged, convicted and sentenced in Aotearoa.
(Aotearoa, in case you’re wondering, is the other official name for New Zealand, which is commonly abbreviated to NZ, and pronounced En Zed, in case you ever need to say it out loud.)
Dotcom continues to to insist that he’s a scapegoat and is challenging being sent to the US for trial, despite Aotearoa ruling that his extradition would be legal.
Megaupload, like its also-defunct contemporary RapidShare, was what became known as a file locker service.
That’s a file locker in the upbeat metaphorical sense of a sense of a gym locker, namely a cloud service where you can stash files for later download, not a file locker in the downbeat sense of file-locking ransomware that scrambles your files until you pay a blackmail demand to decrypt them.
The FBI claimed that Megaupload’s business model was really all about a few people uploading lots and lots of files, including ripped-off content, so that lots and lots of other people could download them for free…
…rather than simply being a file storage service where you could backup your own files indefinitely.
Simply put, the FBI considered it to be much, much more of an unlicensed megadownload service than the name Megaupload would suggest.
Sentenced at last
Ortmann and van der Kolk have now been sentenced, eleven years on, and the judge’s official report, though long at 38 pages, makes very interesting reading.
Early on, the court explicitly reminds us all that the concept of a cloud storage and file-sharing service is not intrinsically illegal, and reminds the defendants that they weren’t charged on that basis:
It is not suggested that any of the process of uploading files, being allocated a URL or sharing those URLs, itself breached any law.
However, the agreed summary of facts records that the overwhelming majority of Megaupload’s traffic consisted of content which was first, protected by copyright, and second, made available to users in breach of the rights of copyright owners.
You accept in the summary of facts that by operating Megaupload, you intended to obtain significant financial benefits from copyright infringement, to the detriment of copyright owners.
At the same time, the court argued that evidence in the case showed that the defendants knew full well that what they were doing would get them into trouble:
You also anticipated that, sooner or later, you would be the subject of legal action.
You discussed amongst yourselves the possibility of facing legal problems and the fact that this risk was increasing over time.
More importantly, the court noted that the two didn’t just anticipate legal challenges, but planned how they could pretend to react to takedown requests without actually doing so:
For example, in 2009, Mr Ortmann, you and Mr Dotcom discussed how to respond when lawsuits were threatened, and you suggested “promise some kind of technical filtering crap and then never implement it”.
The court also described how the defendants actively encouraged illegal uploaders in order to grow their subscription business, while knowingly disguising the publicly visible amount of infringing content:
For example, in January 2008, you, Mr van der Kolk, observed that it was counterproductive to disqualify any users from receiving payment “because growth is mainly based on infringement”. […]
Instead of showing the top 100 most downloaded files, Mr Dotcom and each of you curated 100 non-infringing files for the Megaupload’s “Top 100” page.
But in the event of a takedown request via the company’s Abuse Tool, only individual URLs would be removed, not the actual content they linked to:
Multiple uploads of the same file were “deduplicated”, so that multiple download URLs could ultimately point to the same file. […]
You accept in the summary of facts that this was a deliberate ambiguity, and that Megaupload’s overall concealment of its inner workings gave the impression that infringing content had been removed when it had not.
You accept that this was one of the key mechanisms which enabled Megaupload to disseminate infringing content freely, while falsely maintaining that it operated a robust and effective system to protect the interests of copyright owners.
You accept that you knew, and intended, that your response to takedown notifications would have no material effect on preventing access to copyright infringing content on your sites.
Not just the billion-dollar Big Guys
Interestingly, the court accepted that adjudicating the actual harm done to copyright holders in case like this “is a contentious topic”, and that just because international megacorporations insist that they suffer untold losses due to illegal downloading doesn’t make it true.
Notably, the court referenced a judgment in the English Court of Appeal in 2017, which questioned the typically enormous, often multi-billion-dollar, losses claimed by large corporate copyright holders:
[A]n estimate of losses based on royalties due per download was more “notional than real”, given “by no means everybody who downloaded tracks via the appellants’ website would have downloaded those tracks via legitimate means had they not been obtainable through them.”
But the court did stick up for the rights of smaller producers, who may not have suffered multi-million dollar losses, but were directly and personally harmed by piracy of their work:
However, it is not in dispute that the victims of your offending are not limited to large corporate owners of copyright protected material.
They include, for example, the numerous owners of the copied YouTube clips and smaller software developers and video producers.
As an example of the latter, I have been provided with a victim impact statement from a Timaru-based computer software developer.” [Timaru is a town on Aotearoa’s South Island.]
That local coder’s impact statement was described in court as follows:
[The Timaru developer] says that he submitted at least 10 to 20 takedown requests to Megaupload after he had noticed a decline in sales of his software towards the end of 2009, and finding pirated versions were being made available to him on the internet.
The victim notes that infringing copies of his software remained active on Megaupload after takedown requests were made, with the result that what he found to be a very time consuming process of putting in takedown notices was a waste of his time.
He states that piracy reduced his income to such an extent that it was no longer viable for him to work full-time on his software business, and while his product still yields a modest income, he was forced to take other jobs.
The victim responsibly notes that he cannot quantify how much Megaupload in particular contributed to the piracy problems he experienced.
How long should they get?
The court’s discussion on sentencing is interesting, noting that the prosecutors argued that the maximum possible sentence should be taken as 14 years, while the defence argued for an absolute maximum of seven years for Ortmann and five years for van der Kolk.
After a lengthy review of related cases in New Zealand, England and the US (including the US sentence of one-year-and-one-day handed to another Mega employee who was extradited from the Netherlands to the US), the judge decided that maximums of 10 years 6 months and 10 years respectively were appropriate.
Ultimately, in view of that fact that the defendants ultimately pleaded guilty, will collectively pay back more than US$5,000,000 in reparations (though the judge did describe this as a “drop in the bucket”), and will assist the US authorities to the point of testifying against Kim Dotcom in any American prosecution, the defendants were sentenced to 25% of their potential maximums.
Interestingly, the defendants’ requests for their alleged mental heath issues (autism and ADHD respectively) to be taken into account in reducing their sentences were rejected by the judge, who reasoned as follows:
Given the contents of the summary of facts, I am unable to accept that your conditions somehow masked or prevented you from having the capacity to see “invisible” victims, given you were clearly aware of the harm you were causing to copyright holders and that doing so was unlawful.
Both defendants were convicted of conspiring to obtain documents dishonestly, conspiring to cause loss by deception, and on various charges of participation in an organised criminal group.
Accordingly, with their assorted sentences to be served concurrently, Mathias Ortmann was sentenced to 2 years 7 months in prison, and Bram van der Kolk to 2 years 6 months, those lengths being 25% of the maximum allowable sentences that the judge had settled upon.
What next?
Following their agreement to be charged and plead guilty in Aotearoa, and to assist the US authorities in its ongoing investigations, the Americans will no apparently longer seek their extradition.
The US will accept the Aotearoa court’s sentence as their ultimate criminal punishment in this long-running saga.
Kim Dotcom, of course, wasn’t part of this case, and is still fighting extradition to the US, so the saga is not over for him.
As my learned friend and colleague Doug Aamoth likes to say on the Naked Security podcast, “We will keep an eye on this.”