▸ 2021 Copyright Injunction Frequently Asked Questions

About Quad9

Q: Who is Quad9?

A: Quad9 is a non-profit foundation dedicated to increasing the security and privacy of the Internet. Quad9 achieves this mission by providing a DNS recursive resolver service that incorporates malware blocking, and which does not track user behavior. Quad9 does not monetize or collect personal data while protecting end users, and the service is offered at no cost to any organization, institution, or individual who wishes to use it on their home, business, or mobile devices.

Q: Who uses Quad9?

A: Quad9 is used by tens of millions of users across a broad range of networks, with locations in more than180 points of presence placed in more than 90 countries. Many individuals configure their systems to use Quad9 to get additional malware and phishing protections. ISPs may choose to use Quad9 instead of their own recursive resolvers in order to provide a value to their end customers at no cost. Schools may use Quad9 because of the lack of private data collection and incredibly strict Swiss data privacy laws that are applied to Quad9. Small businesses may use Quad9 because the service is provided at no cost. Regional and local governments may use Quad9 because there is no contract or signature required to start using the service.

Q: Where is Quad9 located?

A: Quad9 is headquartered in Zurich, Switzerland.

Q: How does Quad9 protect users’ systems and privacy?

A: Quad9 does not log any personal data. IP addresses are never logged to disk and are discarded after queries are answered. No type of cookies or tracking are used by Quad9 to create user profiles or associate users with their queries. Quad9 was the first large-scale recursive resolver to use DNS-over-TLS, and currently supports three different encryption methods to ensure end user DNS data cannot be intercepted or modified. See our Privacy Page.

About DNS

Q: What is DNS recursive resolution?

A: The most common analogy is that the DNS is like a phone book that maps names like www.quad9.net into IP addresses so that computers can correctly connect users to the servers housing the desired content. The DNS does more than this simple name-to-number mapping, but as a brief description this is sufficient for an example. Owners of domain names publish their information in what are called “authoritative name servers”, which are the equivalent of the printed pages of the phone book. There is only one owner of a domain name, and one small set of servers that contain those names.

Recursive name servers operate on behalf of the end user. When a site is entered into a browser, the desktop or mobile device contacts a recursive name server and asks the equivalent of “Please look up the name www.example.com and tell me what the IP address is.” The recursive resolver then goes through an iterative process of looking up the authoritative servers for each part of the name, in a tree-like search. First, they find the root nameservers (typically in a file), then the find the servers that know the answers for “.net”, then the servers that know the answers for “example.net” and then finally they ask the authoritative servers for example.net about the IP address of www.example.net. This process is incredibly fast, and almost un-noticeable by the average user, and lookups happen thousands of times a day for a normal set of web browsing actions just for one person. See this example:

https://en.wikipedia.org/wiki/Domain_Name_System#Address_resolution_mechanism

Typically, recursive resolvers are operated by the local ISP or network administrator, but Quad9 offers a service that replaces those systems by a small change to a device’s network settings. The reasons people use Quad9 are varied, but the primary reasons are often additional security. Quad9 doesn’t answer questions about sites that are known to be malicious, which provides security by preventing people from reaching “bad” destinations. The second primary reason to use Quad9 is for privacy. Quad9 doesn’t collect any personal data or profile users based on the website hostname queries.

Q: Why is DNS malware filtering different than what is requested by Sony?

A: Malware and phishing filtering is performed by Quad9 on all sites, and for all clients equally. Malicious activity does not have a “jurisdiction” and so Quad9 applies threat mitigation as a monolithic protection feature to all queries regardless of where they originate or where the Quad9 equipment is located.

This is contrasted with copyright and content filtering which must be applied with at least two sets of criteria (and perhaps many more): the origin of the device asking for the name lookup, and the geographic location of the Quad9 server. This creates a massive many-to-many lookup process that must be performed for every single query, dramatically increasing query time and increasing processing load on the system. It also creates a large potential for errors, as overblocking or underblocking based on geolocation of IP addresses is a strong probability. We do not have the legal expertise nor the budget to verify legal claims or vet the requestors.

Additionally, there are methods by which a website may be removed from Quad9’s filtering set if Quad9 is requested to re-examine the site and it is determined to be a “false positive.” Quad9 has the flexibility and autonomy of determining if a site should be removed from the list. Note that Quad9 does not add sites to the list itself and uses a network of expert threat intelligence companies to create the list of malicious hosts. This discretionary ability to remove blocks is very different than what is possible with a set of domains for which there is no subjective decision available to Quad9 on blocking inclusion, which is what this court order imposes. Quad9 has no discretion as to what the court has imposed as a block list, which means that potentially “false positive” sites cannot be removed, and Quad9 has no ability to protest against overblocking on behalf of the rights of the users.

Q: How does DNS encryption have any bearing on this issue?

A: DNS encryption is reasonably new but is a desirable feature to protect DNS query data from interception or mid-stream modification. In the context of this case, encryption has little to no effect, as the query is (by design) decrypted by Quad9 for users who are utilizing Quad9 systems, and the blocking of content is happening after the encryption/decryption process.

About the Case

Q: What other DNS providers is Sony acting on?

A: As far as we know, Sony is currently only taking action against Quad9. Sony has not brought any claims against larger, commercial DNS resolvers. However, other major music labels are also currently taking action against DNS providers in German courts. The content delivery network Cloudflare, which also operates a DNS resolver, was also sued for injunctive relief before the Cologne Higher Regional Court in the fall of 2020 on the grounds that Cloudflare contributes to copyright infringements by having the DNS resolver resolve a domain name under which copyright infringing content is hosted. The Cloudflare case is different from the present action against Quad9, as Cloudflare is a commercial operator that has a business relationship with the website accused of infringement, for which it provides content delivery services.

Q: Why is this a dangerous precedent?

A: DNS intermediaries provide a technologically neutral, essential Internet infrastructure. They are neither involved in nor aware of potential copyright infringements that take place on the domains they give access to. Quad9 has no relationship whatsoever with the actual infringer or the operators of the websites on which the infringement takes place. By enforcing copyright claims against DNS resolvers, costs and risks of a copyright dispute that should be settled between rightsholder and infringer are externalized onto a neutral, third party.

DNS blocking for copyright enforcement purposes raises fundamental concerns. On the one hand, DNS blocking is not an effective way to stop an infringement since Internet users can circumvent a blockage easily or website operators can simply switch to another domain. On the other hand, DNS blocking affects not only illegal content, but all content hosted under a domain as blocking cannot be done on an URI-basis. DNS blocking does not only lead to illegal information being blocked, but to the denial of access to any information or services of a domain, thus restricting access to legal information as collateral damage. The blocking of entire websites is a threat to freedom of information on the Internet.

The court argues with the German law principle of “interferer liability” the so-called “Stoererhaftung”, which allows holding uninvolved third parties liable for an infringement if they have in some way adequately and causally contributed to the infringement of a protected legal interest. If DNS resolvers can be held liable as interferers, this would set a dangerous precedent for all services used in retrieving web pages. Providers of browsers, operating systems or antivirus software could be held liable as interferers on the same grounds if they do not prevent the accessibility of copyright-infringing websites.

Quad9’s service was not designed for the purposes of blocking content based on jurisdiction, and so the platform is being forced to provide services which were not originally designed nor which are desired by Quad9 nor the end user, and gives benefit to neither. Once there is the ability for rightsholders to assert control over third-party networks to perform tasks that were not originally designed, this will reduce the friction for what could be an avalanche of poorly considered blocking notices to which will be difficult or impossible to object due to volume and costs of opposition. Under German law, the costs of cease-and-desist letters have to be borne by the addressee if the addressee does not comply with the request of e.g. a rights holder based on an informal notice. We anticipate that a lot of – particularly smaller – operators will just implement blocks to avoid the risk of costs or even court cases. If this case remains to be successful for the rights holder, we anticipate the flood gates to be opened and more notices from rights holders to be sent – be it justified or not. This will eventually lead not only to overblocking, but to a risk for freedom and diversity of speech.

Q: How does this case have any effect outside of Germany?

A: This case may have serious repercussions for IT services in Europe. Should the court rule that Quad9 is liable under the principle of interferer liability ("Stoererhaftung"), DNS providers and other IT services based in the EU or the signatory states of the Lugano Convention (Switzerland, Iceland, Norway) could be sued before German courts for injunctive relief under the principle of “Stoererhaftung”. As explained above, this risk would not be limited to DNS providers, but would apply to all actors providing a service for the access to websites. This liability risk would discourage providers of IT services offering their services from the EU and Lugano signatory states.

Q: What other services are like DNS in that they could have this judgement apply to them?

A: The liability principle applied by the Hamburg District Court could be applied to any other service provider that contributes to giving access to a website on which a copyright infringement takes place. DNS providers, DNS operators in private, operators of browsers, operating systems or antivirus software could be held liable as interferers on the same grounds if they do not prevent the accessibility of copyright-infringing websites.

Q: What is the impact on the average user by this case?

A: The implementation of the court order by Quad9 does not result in the copyright infringing website no longer being accessible. The average user may not even notice that Quad9 has implemented the court order, because if they have configured an alternative DNS resolver, the request will automatically be directed to and resolved by their alternative DNS resolver.

Q: Who does this ruling affect, currently?

A: Quad9 has tried to implement the ruling in such a way that only users from Germany are affected. Quad9 has spent considerable effort on modifying its system so that the implementation of the injunction by the Hamburg District Court does not overshoot the mark and only applies to users in Germany, as ordered by the court. However, the allocation of IP addresses to a specific territory can cause difficulties in individual cases, so that the implementation of the ruling cannot be limited to users in Germany with absolute precision.

Q: Why is Quad9 not just implementing blocks when requested?

A: 1) Quad9 believes it is insufficient to block a site with no recourse simply based on the assertion that a private organization has made via a request to us, without a legal process to determine the validity of that assertion. This is an extremely worrying outcome, which we believe could quickly lead to a significant chilling effect on freedom of discourse and on the use of the Internet.

A: 2) Quad9 believes that our mission is clear: to protect end user security and privacy. Our user base expects those services, and only those services. They do not wish to reach malicious content, so their goals and our goals match. Our mission is not to prevent users from reaching content that they believe they wish to reach. If we block content that is not malicious, then we have a mismatch in what the user wishes to do and what Quad9 is able to offer. If that content blocking is enforced on our systems, then we believe Quad9 will lose the trust of our end users, who will convert to other services which may not protect them against malicious content, which is a net negative overall.

A: 3) Content blocks are by nature jurisdictionally sensitive and are applied nation-by-nation. What is blocked in country A may not be blocked in country B.

Additionally, it is functionally impossible to apply blocks such that overblocking or underblocking is not an issue. IP geographic databases are unreliable and simply cannot correctly identify the origins of all users given the proliferation of tunneled routing, DNS forwarding, VPNs, IP address transferability, and other issues which purposefully obfuscate the origins of user locations.

Given the challenge of locating users correctly combined with the jurisdictional conflicts, we see no clear way to fairly and correctly block sites given Quad9’s current service model and customer base, even if we did believe it was reasonable to do (which we do not).

Q: What is the site being discussed in the filing?

A: We have decided not to mention the name of the website publicly in order not to encourage the dissemination of potentially copyright-infringing content. The website in question contains hyperlinks to content that is hosted on third-party sites (sharehosters).

Q: Is Quad9 infringing on any copyrights?

No. Quad9 does not engage in any potentially copyright-infringing activities. Quad9 has neither knowledge of nor any relation whatsoever to the websites it gives access to by resolving the corresponding domain name. The copyright infringement at issue in the present proceedings is committed by third parties to which Quad9 has no relationship whatsoever.

Q: What about CUII in Germany?

A: Rightsholders and major German Internet access providers have recently established a "clearinghouse for copyright infringements on the Internet (CUII)". The Internet access providers participating in the CUII, such as Deutsche Telekom, Vodafone and 1 & 1, voluntarily implement DNS blocks on the recommendation of the CUII. The website in question in the preliminary injunction against Quad9 is also on the CUII's blocking list. By using an independent DNS resolver, Internet users in Germany can circumvent the DNS blocks of their ISPs. The court case against Quad9 could therefore be a targeted attempt to prevent the circumvention of existing DNS blocking practices of German ISPs and set a precedent for future action against other DNS providers.

Additionally, the CUII is an organization whose membership is non-mandatory. If it was stated that content listed by CUII must be blocked regardless of membership in CUII, then the existence of the organization has little meaning as there is no legal difference between participating in CUII and not participating in CUII as a member.