Copyright piracy and cybercrime: enforcement challenges in India

By Arpan Banerjee and Neil Gane, Alliance for Creativity and Entertainment (ACE), Hong Kong (SAR), China

In recent years, concerns around online content piracy have increased around the world. The reasons are well-known: a rise in illicit streaming platforms and torrent websites; errant web hosting services that ignore piracy on their servers; and the ease and anonymity offered by certain online intermediaries. A further hazard arises from linkages between piracy and hi-tech cybercrimes. While governments worldwide are grappling with these obstacles, a country that merits special attention is India — where a globally prominent film industry is hindered by widespread piracy and a challenging enforcement environment.

The Piracy-Cybercrime Nexus

In 2010, the Indian government’s Committee on Piracy (CoP) linked piracy with large revenue and job losses. The CoP presciently observed that the advent of smartphones and 3G would make it “much easier to undertake all kinds of film piracy.” Indeed, today, premium streaming services in India are routinely victims of mass piracy. Like in other countries, piracy syndicates in India profit mostly through user subscription fees or advertising revenues. The former method, though brazen, is self-explanatory. The latter method, however, is more insidious, owing to the presence of high-risk advertisers promoting suspicious links. Research, by McAfee, tracking pirated Indian movies and shows, has flagged such links for attempting “to install malware or steal passwords and personal information.”

For further insights, we interviewed Lieutenant-General Rajesh Pant, a noted military cybersecurity veteran now advising the Indian government as National Cyber Security Coordinator (NCSC). Pant explained: “Malware is the starting point of all our cyberattacks, whether it is financial fraud, piracy, data theft or an attack against a strategic sector. Everything starts with luring or clickbaiting.”

Pant listed some recent government initiatives meant to address the threat, including a National Malware Repository and the Indian Cyber Crime Coordination Centre (I4C). Notably, the I4C includes a National Cyber Crime Reporting Portal, where cases of piracy — with or without a malware nexus — may be reported. Pant added that piracy and malware attacks were separately punishable under the Copyright Act 1957 and the Information Technology Act 2000.

Criminal Enforcement

Despite the impressive expertise of the NCSC and I4C, India’s federal make-up means that the responsibility to investigate piracy generally lies with state governments. Thus, the success of anti-piracy enforcement in India is often determined by subnational rather than national efforts. Here, the CoP had observed that piracy is “very low in terms of priority in the radar of law enforcement agencies.” Similarly, the International Intellectual Property Alliance has reiterated that criminal enforcement in India is “very daunting”, and marked by “lack of appetite by local enforcement and significant time delays”.

Pursuing pirates outside major cities appears to be particularly challenging. For example, we examined the records of a high-profile piracy case in the city of Jabalpur (Rahul Mehta v State of Madhya Pradesh (2015)). In 2015, the Jabalpur police had arrested a piracy syndicate responsible for pirating Baahubali, one of the highest grossing Indian movies of all time. The accused were granted bail by the trial court. However, the case is still pending and there is no record of a hearing after 2017. Gallingly, the accused were arrested again, in Hyderabad, for pirating Baahubali 2, the film’s equally successful sequel. While in the recent case of Knit Pro International v State of Delhi (2022), the Indian Supreme Court declared criminal copyright infringement as a “non-bailable” and “cognizable” offence (i.e. one is arrestable without warrant and only a court can grant bail), the ground-level impact of the decision is unclear.

Many right holders see the benefits of using criminal prosecutions as deterrents.

The MIPCU Model

At the state level, a novel enforcement model exists in the form of a police unit in the state of Maharashtra (whose capital, Mumbai, is the hub of Bollywood). The Maharashtra government established the Maharashtra Intellectual Property Crime Unit (MIPCU) in 2017 to provide right holders better enforcement.

The MIPCU was established as a division of Maharashtra Cyber, the state police’s cybercrime wing, and structured as a public-private partnership. To learn more, we visited the office of Maharashtra Cyber and met with the officers currently at the helm: Yashasvi Yadav, Special Inspector General of Police, and Sanjay Shintre, Superintendent of Police. We also met with a team of computer professionals, who make up the MIPCU’s engine room, and interviewed them via a written questionnaire (which they preferred to answer collectively, as “Team MIPCU”).

Yadav acknowledged that piracy was “rampant” in India. He also confirmed linkages between piracy and malware, stating: “Certain malware providers use pirated content as a trap. Their main business is not piracy. Their main intention is to infect computers, steal data or install spyware. People are prone to click on freeware and free content.” Yadav added that it was “not an easy task” to track down such malicious actors, who frequently masked their footprints using technologies like VPN and Tor browsers.

Shintre, however, pointed out that cybercriminals did occasionally slip up. He cited the 2021 case of ThopTV, a popular piracy app funded by subscription fees. Apparently, ThopTV’s mastermind had inadvertently disclosed his whereabouts, allowing Maharashtra Cyber to swoop in and arrest him. Interestingly, the arrest had occurred outside Maharashtra, in Hyderabad. In May 2022, an accomplice was arrested by Maharashtra Cyber near Kolkata. Yadav and Shintre explained that Maharashtra Cyber could pursue pirates outside Maharashtra if pirated content was being disseminated within Maharashtra. Such a move, however, is contingent on registering a “First Information Report” (FIR) in Maharashtra. In other words, such action can only take place when a copyright owner files a criminal complaint, after which the police prepare a report.  The onus of filing the complaint lies on the copyright owner.

Despite potential advantages, the MIPCU does have limitations. For a start, the MIPCU cannot directly shut down piracy websites or apps. Such action is the administrative remit of the Indian Ministry of Electronics and Information Technology (MEITY). Further, Team MIPCU’s responses to our questionnaire indicate that the unit relies heavily on voluntary compliance. In this regard, Team MIPCU listed many difficulties, ranging from non-compliant hosting services in “rogue geographies” outside India to “members-only” piracy platforms hidden from public view.

Other limitations raised include sluggish takedown times over weekends, with some mobile apps taking up to two weeks to act. Moreover, Yadav noted that despite the ubiquity of online piracy, right holders were not registering enough FIRs with Maharashtra Cyber. “I have not seen more than a handful,” he remarked. Yadav felt that this limited the police’s ability to escalate matters.

Many right holders, however, do see the benefits of using criminal prosecutions as deterrents. In a separate interview, Anil Lale, General Counsel of Viacom 18, informed us that Viacom 18 had filed multiple complaints with Maharashtra Cyber, including the FIR in the ThopTV case (for which Lale praised the MIPCU’s “commendable action).”

Lale declined to comment on the strategies of other content media companies, but offered some suggestions as to why the number of FIRs may be low. He pointed to systemic problems with the legal system and law enforcement, the difficulty in prosecuting overseas-based pirates, and the tendency of many right holders to prioritize (understandably) the removal of pirated content over the prosecution of offenders. Lale also felt that, insofar as it is a state-level body, the MIPCU had inherently limited powers and resources. Given these drawbacks, he suggested that the establishment of a larger, national body empowered to receive and investigate complaints from across India might be more effective.

The battle against online piracy in India (and beyond) is […] weighed down by universal and local challenges.

Civil Enforcement

On the civil litigation front, the situation in India appears brighter. Many states in India have set up fast-track courts, and the Delhi High Court has recently established an Intellectual Property Division. The Delhi High Court’s approach towards online film piracy (expertly summarized by Justice Pratibha Singh of the Intellectual Property Division in a recent WIPO presentation [PDF]) has been especially noteworthy. In the leading case of UTV Software Communications Ltd. v 1337X.to (2019), the court recognized “dynamic” injunctions (to preempt pages from shifting across different URLs) and specified criteria to determine when to block “rogue websites” (i.e. websites that "primarily or predominantly share infringing content).” Pant explained that MEITY officials meet regularly among themselves and with intermediaries to implement such blocking orders. The MEITY instructs the Department of Telecommunications to inform ISPs to carry out the blocking of an IP address, which he notes can be done in “a matter of minutes.”  More recently, the Delhi High Court, in Neetu Singh v Telegram (2022), directed Telegram to disclose information about uploaders of pirated content.

However, by the time a court order is passed, and finally executed, the proliferation of pirated content may have already occurred. This shortcoming (which is not peculiar to India) is especially relevant for pirated streams of live entertainment and sports events. Legal costs, which may be prohibitively expensive for smaller outfits, present another major hurdle in the civil litigation process.

The Way Ahead

The battle against online piracy in India (and beyond) is evidently weighed down by universal and local challenges. The universal challenges range from the technological sophistication of cybercriminals to problems of international jurisdiction. The local challenges, however, chiefly encompass systemic problems with law enforcement agencies and the criminal justice system. Realistically, it is perhaps only the latter issue that the Indian government can address.

The CoP has observed that piracy is inappropriately viewed as “a low-risk high-reward” crime in India, with law enforcement agencies challenged with tackling “heinous criminal activities.” However, if the linkages between piracy and malware are better highlighted ¾ through research studies, symposiums, and police training workshops ¾ piracy should automatically rise in the pecking order of serious crimes and receive greater attention. This task could plausibly be undertaken by the Cell for IPR Promotion and Management (CIPAM), a training and awareness cell launched by the Indian government in 2016. CIPAM’s website shows that it has organized several educational workshops and involved leading Bollywood stars in an anti-piracy campaign.

Finally, many state governments may consider setting up their own IP cybercrime units. Operated in a targeted and cost-effective manner, such units would likely attract the endorsement and support of industry. In prioritizing the certainty of punishment over its severity, these units would also, no doubt, offer a service that most right holders would like to see in place.