Written by Fok Xu Xuan, Lim Chin Hou & Tan Jel Mee, final year students of the Faculty of Law, University of Malaya.
Edited by Irdina bt Mohamad Damshal.
Reviewed by Celin Khoo Roong Teng & Florence Yeap Xiao Qing.
The rise of Virtual Private Networks ('VPNs') is the product of the vast influx of internet accessibility and online services. VPNs have facilitated the usage of the public within the digital environment. Nonetheless, due to its nature of being commonly used to bypass site-blockers and allowing users the liberty of anonymity, VPNs have unknowingly aided the growth in suspicious internet activities. Consequently, this has muddied the waters within cyber law.
A Virtual Private Network (‘VPN’), as the name suggests, is a service that provides users with virtual networks by creating private networks from public internet connections. It enables users to connect to the internet via an encrypted tunnel to protect their online privacy and sensitive data. For instance, when users install a VPN on their device, the VPN routes the internet connection through their VPN’s private server rather than the internet service provider’s (‘ISP’) server. It hides the users’ internet protocol (‘IP’) addresses and data traffics from external snoopers, making their online actions virtually untraceable.
The VPN essentially establishes an encrypted tunnel into the users’ server to protect their personal data. It uses encryption to scramble data when sent over a Wi-Fi network, making it more difficult for other parties to intercept and view the data. The VPN encryption process is as shown below:
A VPN service provider works by utilising servers worldwide where the users’ online activities can originate from any one of them. The users’ ISP would be unable to know the users’ browsing history as the VPN will associate their online activities with the VPN server’s IP address and not the IP belonging to the users. Otherwise, the ISP and web browsers can track everything the users have done online and keep histories. For instance, if the users are browsing for flight ticket prices, most travel sites would know the users’ activity from the ISP and web browsers, which might lead them to display fares that are not the cheapest available. In such situations where revelations of public data have been used in shady ways, keeping information private is more vital than ever.
Although VPN services bring several benefits to users — especially in protecting their privacy — such services are not equally exalted by certain parties, particularly among copyright owners because they raise copyright concerns. As an example, the users can access overseas content unavailable in their country by using the VPN to bypass geo-blocking. Besides, users can also use a VPN to bypass other types of blocking and download pirated material while avoid being caught for copyright infringement because of their anonymous identity. Other illegal activities can be done by users through VPN such as hacking, buying or selling materials on the dark web and cyberstalking.
In short, while VPN enhances the experience of the public in the digital environment, it is also prone to be used for illegal purposes. In this article, we will examine the role of VPN in circumventing geo-blocking and site-blocking, the liability of various parties related to VPN and enforcement issues.
II. VPN AS A CIRCUMVENTION OF GEO-BLOCKING
A. Introduction to Geo-block
Geo-block is a technology commonly used by streaming websites like Netflix to restrict the consumers’ access to copyrighted content on websites based on their geographical areas. For example, Netflix’s geo-block implementation helps prevent the United Kingdom (‘UK’) subscribers from accessing movies that are exclusively made available to United States (‘US’) subscribers. This ensures that the customers can only access content in the region they are located, which Netflix is licensed to provide. To access content that is exclusively available in another country, one must circumvent the geo-block imposed by Netflix; and the most common way to achieve this would be using VPNs. Hence, to determine the legality of VPN under copyright law, as far as the circumvention of geo-block is concerned, the main issue to be discussed here is whether geo-blocking is considered as a ‘technological protection measure’ (‘TPM’). If the answer is in the affirmative, the circumvention of geo-blocking using VPN would thus amount to a circumvention of TPM, which is an act prohibited under copyright law.
B. TPM and Geo-blocking under the Copyright Act 1987
Generally, TPM is a technological tool used by copyright owners to protect their copyrighted works from being exploited in the digital environment. Given the possibility of TPM being bypassed, legal protection against circumvention of TPM is, therefore, granted to the copyright owners as provided under Art. 11 of the World Intellectual Property Organization (WIPO) Copyright Treaty (‘WCT’) and Art. 19 of the WIPO Performances and Phonograms Treaty (‘WPPT’). Copyright laws in each jurisdiction have their respective definitions and scopes on what amounts to TPM. With that in mind, there are generally two main categories of TPMs that are covered by most of the jurisdictions — one that prevents access to works (access control) and another that prevents copyright infringement of works (copy control).
Circumvention of TPM is explicitly prohibited under S.36A(1) of the Copyright Act 1987 (‘CA 1987’). In Malaysia, TPM is defined as ‘any technology, device or component that, in the normal course of its operation, effectively prevents or limits the doing of any act that results in an infringement of the copyright in the work’ under S.3 of the Copyright (Amendment) Act 2012. As stated under S.36(1) of the CA 1987, copyright infringement means the doing of an act ‘which is controlled by copyright under this Act’; while acts over which the copyright owner has the exclusive right to control are stipulated under S.13(1) of the CA 1987, which includes inter alia, the right of reproduction, communication to the public and distribution of copies of the work to the public. In other words, TPM, as defined under the Act, seems to only cover technology that prevents the doing of infringement acts covered under S.13(1). Since the act of accessing has never been subjected to the control of copyright owners under S.13(1), one may suggest that TPM under the CA 1987 only covers copy control TPM but not access control TPM. Hence, in the Malaysian context, it would be rather difficult to protect against the circumvention of geo-block as geo-block is an access control TPM.
The next question to be considered is whether we can construe geo-block as a copy control TPM. If a VPN user circumvents geo-blocks, would it result in ‘copyright infringement’ as set out under S.3 of the CA 1987? When VPN users circumvent the geo-block merely to stream and watch overseas copyrighted content, it does not infringe the copyright owner’s rights under S.13(1) of the CA 1987. However, there would be a copyright infringement if the users circumvent the geo-block and subsequently make an unauthorised copy of the copyrighted work or share the work with the public without the authorisation of the copyright owner.
In such situations, geo-block would fall under the definition of TPM under S.3 of the CA 1987, provided that it is sufficiently effective in restricting any act of copyright infringement. As a result, copyright owners would not only have relief for copyright infringement against the users under S.36(1) of the CA 1987, but also be entitled to ‘additional’ protection against circumvention of TPM under S.36A(1) of the Act.
C. TPM and Geo-block in Other Jurisdictions
In contrast, the discussion on the scope of TPM in other jurisdictions such as the US, UK, Australia and Singapore is less complex than Malaysia as their copyright laws explicitly include both access control and copy control TPMs. For instance, S.1201(a)(3)(B) of the Title 17 of the US Code (‘17 USC’) defines access control TPM as ‘in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work’. This is quite different from the definition of TPM in CA 1987.
Having said that, S.10(1) of the Australian Copyright Act 1968 (‘Australian CA 1968’) expressly excludes ‘any device or technology used as geographic market segmentation tool to cinematograph film’ from the definition of TPM. This relates to our discussion on whether geo-block could constitute a TPM. Typically, licensing agreements entered into between the copyright owners (such as the film production company) and streaming websites like Netflix are on a territorial basis. This is why Netflix implements geo-blocking technology in its services to segment the licensing market for movies by charging different groups of audiences different prices based on their locations. Such preference for a territorial segmented market by copyright owners is prompted by factors such as popularity and profitability of the movie or show in different countries. In such a situation, it would be unwise for Netflix to stream its films everywhere as each show costs money to carry on its platform. Thus, geo-block would be a good market segmentation tool to help them achieve the purpose of maximising profit.
If that is the case, then geo-blocks would not fall within the scope of TPM under the Australian CA 1968; therefore, VPN is more likely to be lawful under the Australian jurisdiction. However, in other jurisdictions such as the US, UK and Singapore, VPN would likely be illegal for allowing users to circumvent geo-blocks.
III. VPN AS A CIRCUMVENTION OF WEBSITE-BLOCKING ENFORCED BY LAW
A. Introduction to Website-blocking Enforced by Law
Moving on, we will now examine another type of blocking, i.e. the blocking of websites ordered by the court or the government. With the proliferation of the internet, the sharing of information has become easier and faster than ever. Unfortunately, this convenience poses a considerable threat to the enforcement of copyright protection. The decentralised nature of peer-to-peer (‘P2P’) file-sharing has made the detection of infringement activity harder and increased the occurrence of copyright infringements. To combat these rampant infringement activities, copyright owners need to first identify the websites that facilitate such infringements and then seek help from the ISPs to block access to the websites.
To pinpoint such websites, we need to determine whether website owners have secondary liability on the infringement occurring through their website. In Malaysia, a person who does not do an act controlled by copyright directly but causes another to do the same is considered to have infringed copyright. The word ‘cause’ has been interpreted as ‘involves some express or positive mandate from the person “causing” to the other person, or some authority from the former to the latter’. The Malaysian courts have approved such interpretation in the context of copyright infringement. Regrettably, such interpretation has not yet to be tested in the case of a website facilitating copyright infringement. Thus, cases from other jurisdictions will serve as persuasive references.
The Australian CA 1968 contains a provision similar to S.36(1) of the CA 1987, except that the terminology used is ‘authorise’: a person who authorises another person to do any act comprised in the copyright is said to be infringing the copyright. For instance, a website facilitating the access of unauthorised music files through hyperlinks is held to be authorising internet users to infringe the copyrights in the sound recordings.
Similarly, in the UK, a person who authorises another to do an act restricted by copyright is said to commit copyright infringement. The word ‘authorise’ is interpreted as grant or purport to grant to a third person the right to do the act complained of. It is also a trite law that a person who procures or engages in a common design to infringe copyright is jointly liable with the other person who did the infringement. For instance, in Twentieth Century Fox Film Corp v Newzbin Ltd (‘Twentieth Century Fox’), Newzbin, a website that indexes and categorises infringing content on Usenet, was held liable for procuring and engaging with its subscribers to infringe copyright. The website was structured to guide its subscribers to commit infringement by providing them with the means to download infringing content. Similarly, another website that provides a directory of torrent files was also held liable for providing a user-friendly environment to search and download infringing content.
Once the court identified the websites liable for copyright infringement, the copyright owners can seek an injunction to block access to such websites. In most jurisdictions, including Malaysia, such legal remedy is provided to the aggrieved copyright owners to prevent further infringements. However, only a few countries have reportedly implemented such blocking. Notably, after the landmark victory of the British copyright owners in obtaining a blocking order against Newzbin, several similar injunctions were granted by the UK courts since then. However, this type of blocking has been criticised by ISPs as being ‘ineffective’ because it can be easily circumvented.
B. Legal Basis for Site-blocking
After identifying the infringers, the most effective and ideal way to eliminate the infringing digital copy is to notify website service providers where the infringing content is located to remove it. However, if website service providers refuse to cooperate or simply ignores such request, the copyright owner can seek help from the court. The court can order the ISP to reasonably disable access to an online location that is physically situated outside Malaysia or to terminate the specific account under S.43C(2) of the CA 1987. Such order is conventionally called blocking. Since such orders have never been sought after in Malaysia, examples from the UK are important references. S.97A of the UK Copyright, Designs and Patents Act 1988 (‘CDPA 1988’) provides that if service providers have actual knowledge of another person using their service to infringe copyright, the High Court will have the power to grant an injunction against them. The court has used this section to justify granting an injunction against the ISP to block or at least impede access to a particular website already held to be infringing copyright.
Intriguingly, the court did consider the fact that such an injunction might not be effective due to the ease of circumventing the blocking. Nevertheless, the court held that such an order would be justified even if it would only prevent access by minority users. Circumvention requires users to acquire additional expertise beyond what they presently possess, and circumvention tools charge fees for services provided. Thus, this hassle compels many users to acquire the contents through legal instead of illegal means. The court, in another case, also echoed that such an injunction is justified even if it only deters a small number of users from accessing the website.
Looking back to the Malaysian jurisdiction, an alternative remedy a copyright owner can seek is through the Communications and Multimedia Act 1998 (‘CMA 1988’). S.263 of the CMA 1988 provides that a network service provider as a licensee shall assist the Malaysian Communications and Multimedia Commission (‘MCMC’), as far as reasonably necessary, to prevent its users from using its service to commit any offence under any law in Malaysia, which includes the CA 1987. The Malaysian government has used the provision to order ISPs to block access to several websites for the purposes other than for copyright protection. However, it is submitted that it should be equally applicable to prevent further copyright infringement.
C. VPN as a Circumvention to such Blocking
As discussed in Twentieth Century Fox, a blocking imposed by ISPs can be easily circumvented by using a VPN. The VPN plays a role in encrypting traffic; hence, it can conceal online activities such as websites visited and data downloaded or received from the ISPs. Since the ISPs are unable to find out which website a VPN user is visiting, the blocking cannot be enforced. Further, a VPN can also alter the users’ IP addresses as though they are from a foreign country where the end server of the VPN is located. Thus, ISPs can no longer enforce territorial blocking due to the jurisdiction of the law.
In examining the legal implication of such circumvention, the question again lies in whether site-blocking is considered a TPM in Malaysia, which has been extensively discussed in the previous paragraphs. While the law is unclear on whether such access control TPM is covered under S.36A of the CA 1987, it is equally uncertain whether the circumvention of such blocking as enforced by the law will attract any legal repercussions. Ultimately, the question that needs to be answered is whether accessing a website blocked through proper legal authority is an ‘act that results in an infringement of the copyright in the work’.
It is undeniable that the sole act of accessing such websites might not necessarily be an infringement under S.36 as the website can be used to facilitate the transfer of non-infringing files. Hence, the site-blocking cannot be said to have prevented an act of infringement when there is none. Such blocking cannot be said to be TPM, and circumvention should not be prohibited. Conversely, when a website is only used to facilitate the download of pirated contents, the person accessing it infringes the reproduction right and communication to the public right as guaranteed by the S.13(1) of the CA 1987. Thus, the site-blocking is effectively preventing or limiting the user’s ability to commit such infringement. The circumvention of such blocking can be said as a circumvention of TPM and hence prohibited.
Essentially, whether to consider site-blocking as TPM is a debate between over-censorship and protection of copyright interests. Nonetheless, we submit that this issue has been settled by the court. As discussed previously, in deciding whether a website has secondary liability, the court will consider various factors and facts, including the non-infringing use of the website. If the court decided to attach liability or block a website, the detriment to the copyright owners must outweigh the benefit the website provides. Therefore, it is a preferable stance that site-blocking should be equally enforced regardless of whether the circumvention of it will result in copyright infringement. Hence, we argue that we must recognise site-blocking as a TPM to provide legal authority under the CA 1987 to prohibit the circumvention of site-blocking by VPN.
In short, to effectively enforce such blocking, it is only wise to categorise the circumvention of the site-blocking as a prohibition under the CA 1987. Since an adequate legal framework to accommodate the inception of such blocking as TPM is already present, S.36A should be interpreted broadly to include such blocking to prohibit or at least deter the circumventions.
IV. THE LIABILITY OF VPN PROVIDERS AND USERS IN CIRCUMVENTION OF BLOCKING
A. The Scope of the Prohibited Acts
S.36A of the CA 1987 prohibits two types of acts, i.e. direct circumvention of TPM by individual users and ‘trafficking activities’ in circumvention technology of TPM by the manufacturers or sellers of such technology.
B. Liability of VPN Providers in Circumvention of the Blocks
S.36A(3) of the CA 1987 suggests that any person who makes a circumvention technology available to the public could be held liable for being involved in trafficking activities of such technology. The issue here is whether the VPN providers, who provide circumvention technology, can rely on any defence to exempt liability from trafficking circumvention technology under S.36A(3) of the CA 1987. In CA 1987, there is no specific exception prescribed for trafficking activities concerning circumvention technology. This is to be contrasted with other jurisdictions where the Copyright Acts in the US, UK and Australia provide certain exceptions for trafficking activities in respect of circumvention devices. However, these exceptions will not be discussed in this article as they are not relevant in the VPN context.
Hence, one may infer that VPN providers would prima facie be held liable for providing such technology that allows users to circumvent the blocks. However, if we look at S.36A(3) of the CA 1987, it is noteworthy that only certain scopes of circumvention technology are prohibited from trafficking. For a circumvention technology to be prohibited under S.36A(3), it must be any technology which:
‘(A) is promoted, advertised or marketed for the purpose of the circumvention of technological protection measure; (B) has only a limited commercially significant purpose or use other than to circumvent technological protection measure; or (C) is primarily designed, produced, adapted or performed for the purpose of enabling or facilitating the circumvention of technological protection measure.’
Similar provisions can be found in the Copyright Acts of the US, UK, Australia and Singapore.
Regarding the first type of prohibited circumvention technology set out under S.36A(3)(A) of the CA 1987, it is arguable as to whether VPN can fall under this scope as it depends on the intention of the VPN provider in promoting and marketing said technology. However, we submit that VPN providers may be able to distinguish their services under S.36A(3)(B) because VPN offers many commercially significant purposes other than to circumvent the blocks. For example, the VPN service allows users to access the internet in an encrypted mode and prevents others from tracking their IP address, which therefore makes internet surfing more secure. This is in line with the US case of Agfa Monotype Corp v Adobe Systems (‘Agfa’) where the court held that since the alleged circumvention device in question had many commercial significant purposes other than to circumvent TPM, it does not fall under S.1201(b)(1)(B) of the 17 USC.
Considering the tremendous advantages that VPN provides, VPN providers may also argue that VPN is not primarily designed to circumvent TPM, and hence does not fall under the scope of prohibited circumvention technology in S.36A(3)(C) of the CA 1987. In the case of Agfa, the court observed that a product that may be used to circumvent a TPM does not necessarily mean that the product was primarily designed or produced for circumvention. The Italian case of PlayStation Computer Console (‘PlayStation’) also suggests that if a TPM applied by the copyright owner is used mainly to segregate the market, then circumvention devices of such TPM can be argued to be not primarily designed or produced to circumvent TPM, but to defeat abuse of monopoly instead.
Unlike the Australian CA 1968, where it expressly excludes market segmentation tool from the definition of TPM, there is no such exception specified under CA 1987. Thus, it is debatable in Malaysia as to whether VPN providers could argue that their services are not primarily designed to circumvent TPM but instead, to defeat the market segregation effect resulting from the imposition of geo-block by the copyright owners — considering that geo-block is not merely used for market segmentation but also to protect the copyright owner’s work. At the end of the day, it depends on the interpretation of the court as to how they construe the scope of the circumvention devices. For instance, the UK court in Nintendo Co Ltd v Console PC Com Ltd adopted a different approach from the PlayStation case by holding that, as long as the device falls under any of the scopes of prohibited circumvention devices in S.296ZD(1) of the CDPA 1988, the fact that such a device might have a non-infringing use after the circumvention of TPM had taken place was irrelevant.
In conclusion, we submit that it is ultimately still subject to whether the intention of the VPN providers in providing the services falls under the scope in S.36A(3)(A) of the CA 1987. If the answer is in the affirmative, then VPN can clearly be considered as a prohibited circumvention device under the CA 1987.
C. Liability of VPN Users in Circumvention of the Blocks
Although S.36A(2) of the CA 1987 lays out several exceptions that exempt liability of users from direct circumvention of TPM under S.36A(1), the scopes of the exceptions are rather limited and unusual as they are confined to technical instances which are unlikely to be carried out by an ordinary individual. For instance, the circumvention of TPM for the ‘sole purpose’ of identifying and analysing flaws and vulnerabilities of encryption technology. In our opinion, these exceptions are not practical in most circumstances because it is very unlikely that an ordinary individual would circumvent TPM ‘solely’ for those purposes. This then brings in the next discussion on whether the fair dealing provision applies to the prohibited act of TPM-circumvention.
The question raised is if the VPN providers and users failed to establish their cases based on the grounds in S.36A(3) or the exceptions in S.36A(2) of the CA 1987 respectively, can they rely on the exceptions set out in S.13(2) with emphasis on the fair dealing exceptions? To answer this question, several overseas cases are to be discussed. In the US case of Universal City Studios v Reimerdes, the court was of the view that the defence of fair use under S.107 of the 17 USC is only applicable to copyright infringement related actions, but not to actions relating to the circumvention of TPM. The judge further explained that if the US Congress had intended the fair use doctrine to be applied to such actions, it would have done so. When this case was appealed to the Court of Appeal, the judge clarified that although S.1201(c)(1) of the 17 USC allows fair use doctrine to be applied to direct circumvention of TPM and its trafficking activities, this section does not apply to the use of materials after the circumvention had taken place. Rather, this section only emphasised that the fact that one circumvents TPM would not deny his right from relying on fair use doctrine in a copyright infringement suit because copyright infringement is a separate action from the circumvention of TPM.
The distinction between the circumvention of TPM and the act of copyright infringement is again made in RealNetworks Inc v DVD Copy Control Association where the court held that fair use is not a defence to the prohibited act of circumvention of TPM. In terms of the applicability of fair use doctrine concerning trafficking activities of circumvention devices, the position in the UK is similar to that in the US. As held in Nintendo Co Ltd v Console PC Com Ltd, trafficking activity of TPM-circumvention technology is prohibited despite the possibility that the objective of circumventing a TPM is for purposes which do not infringe copyright in the relevant works.
In respect of the applicability of fair use in the Malaysian context, Sik is of the view that S.13(2) of the CA 1987 is likely to be inapplicable to the prohibited acts of circumvention of TPM due to two reasons. First, the specified exceptions listed in S.36A(2) of the CA 1987 are all distinct from S.13(2). Second, the wording in S.36A(2) appears to suggest that it is exhaustive in terms of exceptions to S.36A(1). If we apply this view into the context of VPN, this would mean that even if the VPN users only use the circumvention devices for entertainment or other domestic purposes, they could still be held liable for the prohibited act of circumvention of TPM under S.36A(1) as the fair dealing exception does not apply to them. Meanwhile, VPN providers would also be held liable for offering such circumvention technology to the users under S.36A(1) of the CA 1987. While VPN can be prohibited under S.36A(1) of the CA 1987, whether or not VPN, or more specifically, the circumvention of the blocks should be seen as illegal is still a contentious issue that has sparked much debate between copyright owners and consumer groups.
D. The Repercussion of Considering Circumvention of the Blocks as Illegal under the Copyright Law
As explained above, VPN is likely to be illegal under the CA 1987 as a prohibited circumvention device of TPM. Putting aside the legal position, we are of the view that before deciding to outlaw the use and sale of circumvention devices such as VPN, there is a need to consider some of the realistic consequences.
Policymakers around the world have pushed for legislation that permits the circumvention of geo-blocking technology. For instance, the Australian Productivity Commission (‘Productivity Commission’) in its final report called on the Australian Government to ‘amend the CA 1968 to make clear that it is not an infringement for consumers to circumvent geo-blocking technology.’ In the US, Congressman Richard Boucher sought to introduce the Digital Media Consumers’ Rights Act of 2003 to create an exception for the circumvention of access control TPM.
In supporting the move to legalise circumvention of geo-blocks, the Productivity Commission in its report emphasised the overarching aim of copyright law which is to promote the creation of copyright works as well as to achieve a societal benefit by enabling the public to access and gain knowledge from the work. As far as public interest is concerned, there are many more purposes that circumvention of geo-block can serve to the public. For instance, allowing people who travel abroad to access content that they have already obtained access at home, or enabling users to access copyrighted content that is important to them and which they are willing to pay for. In the latter example, when individuals in foreign markets are eager to pay copyright owners for access to the copyrighted content but are unable to obtain local access, they might turn to pirated channels or unauthorised websites which charge subscription fees but do not share revenue with copyright owners. This would not only harm the copyright owners in terms of encouraging online piracy but would also cause them to lose valuable opportunities to monetise their copyrighted content.
With that being said, some may ask, what about the copyright owners’ interest? This issue should be discussed, especially when considering the copyright industries’ continuous preference for the geographically segmented market and increasing demands for the copyright owners to protect their valuable content. Thus, to achieve a more appropriate balance between copyright owners and users, several alternative remedies for copyright owners to overcome the issue of circumvention of geo-block can be considered.
V. ALTERNATIVE REMEDIES
What can copyright owners do if their works protected by TPM are being circumvented by others through VPN services? The copyright owners can seek an injunction under S.37 of the CA 1987 against the VPN service provider which has marketed its service for circumvention of TPM. The court could grant this injunction as long as the copyright owners can prove that the VPN services have been used to infringe protected works, i.e. to infringe the right of reproduction. The VPN service provider would then be compelled to adopt suitable technical measures to prevent acts of circumvention by the users to avoid liability.
Blacklisting the popular VPN providers that are known to be used by many people can be an effective method to enhance the protection of works. By blocking the connections from these VPN providers, the users of these VPN services would be unable to hide their geographic location unless they subscribe to another VPN service. Furthermore, Netflix blocks all connections that seem to come from the same IP address. For instance, if many users seem to connect to Netflix US from the same IP address, it would be a dead ringer that they are using a VPN. Netflix would add the particular VPN to its blacklist even though it is unable to trace the VPN server.
In short, the current law has given sufficient protection towards copyrighted works in terms of preventing the circumvention of TPM, but the lack of effectiveness in its enforcement has resulted in continuous infringements. The pragmatic approaches taken by Netflix US are seemingly more effective than the current law enforcement. Even though some VPN service providers still manage to provide solutions to overcome these blockings, the illegal access to copyrighted works has at least been reduced.
VI. LIABILITY ON VPN SERVICE PROVIDERS FOR CAUSING COPYRIGHT INFRINGEMENT
As discussed previously, the act of circumventing geo-blocking and site-blocking by using VPN might infringe the exclusive rights enjoyed by the copyright owners. However, the question here is whether VPN providers could be held liable for copyright infringement by causing their users to do, without the license of the copyright owner, an act that falls under the Copyright Act. We shall determine whether the VPN service provider has ‘caused’ its users’ act of copyright infringement.
A person is said to have caused another person, i.e. the primary infringer, to infringe copyright under S.36(1) of the CA 1987 only if the person has authority over the primary infringer and as such orders or directs the latter to commit copyright infringement, or the person has express or positive mandate to cause the primary infringer to commit copyright infringement and has indeed caused the latter to do so. Applying these principles, it does not in any way indicate that the VPN provider has caused its users to commit copyright infringement. Although the VPN provider can know that there is potential infringement, it is still insufficient to establish liability on the provider as VPN servers are capable of both infringing and non-infringing use, where the provider has neither authorised nor controlled the users’ actual use. Thus, it is too remote to hold the VPN provider liable for its users’ infringement merely by the act of making available equipment.
With that, we may conclude that our copyright laws do not provide room for the secondary liability of a VPN provider. Therefore, it is most likely that a VPN provider would not be held liable for its users’ act of copyright infringement.
To conclude, there are some conspicuous issues to be considered by lawmakers given the serious implications VPN poses on copyright law, particularly on the issue of geo-blocking and site-blocking. Although our current laws might be applicable to prohibit the circumvention by using a VPN, it is hard to be practically enforced because there is a huge number of VPN service providers. It is also impractical to ban the use of VPN as it does have legitimate usage. Thus, governmental bodies, especially MCMC, should work with VPN providers to take a more effective step to prevent geo-blocking or illegal torrenting through VPN to protect the interests of copyright owners. Until then, we believe that it is unfair to not ban the use and trafficking activities of VPN services.
Disclaimer: The opinions expressed in this article are those of the author and do not necessarily reflect the views of the University of Malaya Law Review, and the institution it is affiliated with.
 Geeks for Geeks. (2017, Oct 5). Virtual Private Network (VPN): An Introduction. Geeks for Geeks. Retrieved from <https://www.geeksforgeeks.org/virtual-private-network-vpn-introduction/>. Site accessed on 20 Apr 2020.
 Norton, K. VPN Meaning & Definition. Webopedia. Retrieved from <https://www.webopedia.com/TERM/V/VPN.html>. Site accessed on 20 Apr 2020.
 Cook, S. (2017, Apr 13). Is using a VPN legal or illegal? Is a VPN safe to use? Here’s what you need to know. Comparitech. Retrieved from <https://www.comparitech.com/blog/vpn-privacy/vpn-safe-legal-or-illegal/>. Site accessed on 20 Apr 2020.
 Namcheap. How does VPN work? Namecheap. Retrieved from <https://www.namecheap.com/vpn/how-does-vpn-virtual-private-network-work/>. Site accessed on 20 Apr 2020.
 See footnote 2 above.
 Crawford, D. (2016, Mar 29). The Importance of Using a VPN. National Cyber Security Alliance. Retrieved from <https://staysafeonline.org/blog/the-importance-of-using-a-vpn/>. Site accessed on 20 Apr 2020.
 Cloudfare. VPN security: How VPNs help secure data and control access. Cloudfare. Retrieved from <https://www.cloudflare.com/learning/access-management/vpn-security/>. Site accessed on 20 Apr 2020.
 Symanovich, S. (2020, Oct 27). What is a VPN? Norton. Retrieved from <https://us.norton.com/internetsecurity-privacy-what-is-a-vpn.html>. Site accessed on 20 Apr 2020.
 For instance, the Facebook-Cambridge Analytica Scandal. Confessore, N. (2018, Apr 4). Cambridge Analytica and Facebook: The Scandal and the Fallout So Far. The New York Times. Retrieved from <https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html>. Site accessed on 9 Jan 2021.
 See footnote 3 above.
 Such as a website-blocking as illustrated further under Part III.
 Yu, P. K. (2019). A Hater’s Guide to Geoblocking. BUJ Sci. & Tech. L., 25, 503, 504.
 Tarantino, B. (2015, Jan 15). Netflix’s Apparent Crackdown on Geoblock Circumventers. JD Supra. Retrieved from <https://www.jdsupra.com/legalnews/netflixs-apparent-crackdown-on-geoblock-22347/>. Site accessed on 20 Apr 2020. ‘As savvy Netflixers know, Netflix’s library is different from one region to the next. For example, Netflix US’s library is nearly three-times larger than Netflix Canada’s.’; See also Cole, J. (2021, Jan 6). How to beat Netflix VPN Ban. VPNpro. Retrieved from <https://vpnpro.com/guides-and-tutorials/netflix-vpn-ban/>. Site accessed on 7 Jan 2021. ‘According to Netflix themselves, the reasons for this diversity are fairly simple. Across the world, every nation has its own copyright laws, and each rights holder (usually the company which produces the content) sells the right to screen their products.’
 Hayne, K. A., & Britt, A. (2016, Feb 23). VPN? “Virtual Private Network” & “Very Peeved Netflix”? The Battle for Control of Overseas Content Continues..... Addisons. Retrieved from <https://www.lexology.com/library/detail.aspx?g=9eeffd72-72a7-474b-a9ba-37a0f053b959>. Site accessed on 9 Jan 2021. ‘When Netflix began offering services to Australian customers in 2015, the catalogue available was significantly smaller than the content available to customers located in the US, for example. Netflix separates these markets using geo-blocking technology, aiming to ensure that customers can only access material made available in the region they are located. Despite Netflix’s asserted intentions to offer greater and more consistent content globally, unless either Netflix acquires global licensing for all of their content, or copyright laws do away with these licensing requirements, Netflix must continue to abide by the apparently “historic practice” of geographic licensing. This discrepancy in content availability has led many Australians to use VPNs to access the US versions of Netflix and other similar services, rerouting their IP addresses to appear as though they are located in the US.’; See also footnote 13 above. ‘Except for shows which Netflix produces itself…Netflix must sign licensing agreements to include third party content in its libraries and these licenses are typically on a territorial basis…Netflix is only licensed to show a particular movie or television show within a particular territory, shutting out users outside of that territory.’
 Cole, J. (2021, Jan 6). How to beat Netflix VPN Ban. VPNpro. Retrieved from <https://vpnpro.com/guides-and-tutorials/netflix-vpn-ban/>. Site accessed on 7 Jan 2021.
 Art. 11 of the WCT and Art. 19 of the WPPT require the member States to provide ‘adequate legal protection and effective legal remedies against circumvention of effective technological measures that are used by authors’.
 Copyright Act 1987 (Act 332) (Malaysia) s 36A.
 Prior to the Copyright (Amendment) Act 2012 (Act A1420), there was no definition of ‘TPM’ under the CA 1987.
 Sik, C.P. (2020). Digital Copyright Law of Malaysia. Subang Jaya, Malaysia: Sweet & Maxwell, 156.
 This would trigger the copyright owner’s reproduction right provided in S.13(1)(a) of the CA 1987.
 This may trigger the copyright owner’s communication to the public right and distribution right provided in ss.13(1)(b) and (c) of the CA 1987 respectively.
 The fact that a technological measure can be circumvented does not mean that it is ineffective. To be an effective TPM, it does not have to be a totally effective technological tool which could prevent ‘any’ circumvention. As long as the measure is able to limit or prevent the doing of any act that results in copyright infringement, it meets the threshold of ‘effective’ and is protected against circumvention under the copyright law. See Universal City Studios, Inc v Reimerdes 111 F Supp 2d 294 (SDNY 2000) and Nintendo Co Ltd v Playables Ltd  EWHC 1932 (Ch).
 S.296ZF(1) of the CDPA 1988 defines TPM with the objective of protecting a copyright work, either through an ‘access control or protection process’ or ‘a copy control mechanism’. In other words, ‘protection’ of a copyright work may be achieved via the implementation of either access control or copy control TPMs. From here, we can see that UK’s copyright law adopts a broader scope of TPMs than that in CA 1987 to include access control TPMs.
 S.10(1) of the Australian Copyright Act 1968 defines TPM as ‘(a) an access control technological protection measure; or (b) a device, product, technology or component (including a computer program) that…in the normal course of its operation, prevents, inhibits or restricts the doing of an act comprising in the copyright.’
 Technological measures under the Copyright Act 1987 (Singapore, cap 63, 2006 rev ed) S.261B (‘SCA 1987’) also comprises of both access control and copy control TPM. Access control TPM is defined in S.261B as ‘any technology, device or component that in the normal course of its operation, effectively controls access to a copy of work or other subject matter.’
 17 USC §1201(a)(3)(B) (1976).
 The definition of ‘TPM’ under the Australian CA 1968 after the Copyright Amendment 2006 is ‘(a) an access control technological protection measure…but does not include such a device, product, technology or component to the extent that it: (iii) if the work or other subject-matter is a cinematograph film or computer program (including a computer game) — controls geographic market segmentation by preventing the playback in Australia of a non-infringing copy of the work or other subject-matter acquired outside Australia’.
 The SCA 1987 has to be contrasted with the Australian CA 1968 where it only excludes the liability from circumvention of TPM in relation to the import or sale of a device that is used for the ‘sole purpose’ of controlling market segmentation for access to cinematograph films. See S.261C(10) of the SCA 1987.
 See footnote 17 above, s 36(1).
 Ali Amberan v Tunku Abdullah  2 MLJ 15 (Raja Azlan Shah).
 Motordata Research Consortium Sdn Bhd v Ahmad Shahril bin Abdullah & Ors  MLJU 1187 (High Court). Therefore, a person is causing another person to infringe copyright when he orders or directs another person to commit copyright infringement or he has an express or positive mandate to cause another person to commit copyright infringement.
 Copyright Act 1968 (Cth) s 36(1), 101(1). The Act further states that to determine whether there is such authorisation, a few factors should be considered such as the extent of the person’s power to prevent the doing of the act concerned; the nature of any relationship between the person authorising and the person who did the infringing act; and whether the person took any reasonable step to prevent or avoid the doing of the infringing act.
 Cooper v Universal Music Australia Pty Ltd  FCAFC 187. Applying the test under S.101(1A), the court considered that the website owner chose not to give himself immediate power to prevent copyright infringement. Further, the court found that there is a commercial interest between the website owner and its users. Besides, the court also found that the website owner did not take reasonable steps to prevent or avoid the use of his website for copying copyrighted sound recordings; instead, he deliberately designed his website to facilitate such use.
 Copyright, Designs and Patents Act 1988 (UK) c 48, s 16(2).
 Falcon v Famous Players Film Co.  2 K.B. 474, 499.
 C.B.S. Songs Ltd and Ors v Amstrad Consumer Electronics Plc  1 A.C. 1013, 1058.
 Twentieth Century Fox Film Corp v Newzbin Ltd  EWHC 608 (Ch).
 The court also considered that Newzbin is designed and intended to make infringing copies of films readily available to its paid subscribers.
 Dramatico Entertainment Ltd & Ors v British Sky Broadcasting Ltd & Ors  EWHC 268 (Ch). The court held the website liable because it provides a user-friendly environment to search for and download infringing contents.
 Sweney, M., & Halliday, J. (2011, Jul 28). High Court forces BT to block file-sharing website. The Guardian. Retrieved from <https://www.theguardian.com/technology/2011/jul/28/high-court-bt-filesharing-website-newzbin2>. Site accessed on 20 May 2020.
 BBC News. (2013, Oct 29). ISPs told to block 21 pirate sites. BBC News. Retrieved from <https://www.bbc.com/news/technology-24726078>. Site accessed on 20 May 2020.
 Cuthbertson, A. (2015, Oct 13). Proxy websites for Pirate Bay, Kickass Torrents and more disappear in ProxyHouse blitz. International Business Times. Retrieved from <https://www.ibtimes.co.uk/proxy-websites-pirate-bay-kickass-torrents-more-disappear-proxyhouse-blitz-1523794>. Site accessed on 20 May 2020.
 See footnote 17 above, s 43H.
 Twentieth Century Fox Film Corporation v British Telecommunications Plc  EWHC 1981 (Ch).
 See footnote 44 above, 194.
 See footnote 44 above, 196.
 EMI Records Ltd v British Sky Broadcasting Ltd  EWHC 379 (Ch), 104.
 Malaysiakini. (2018, May 19). MCMC ordered at least 11 ISPs to block M’kini GE14 sites. Malaysiakini. Retrieved from <https://www.malaysiakini.com/news/425819>. Site accessed on 20 May 2020.
 Privacy Surfer. Can Your ISP See Your Location Data? How About The Websites You Visit and Downloads You Make? PrivacySurfer. Retrieved from <https://privacysurfer.com/isp-use-a-vpn/>. Site accessed on 7 Jan 2021.
 Schofield, J. (2012, May 17). Using a VPN to protect your web use. The Guardian. Retrieved from <http://www.guardian.co.uk/technology/askjack/2012/may/17/vpn-internet-privacy-security>. Site accessed on 20 May 2020.
 S.36A(1) of the CA 1987 provides that no person shall circumvent, or cause or authorise any other person to circumvent, the TPM applied to a copy of a copyright work. From the wording of this section, we can infer that in order for an act of circumvention to be prohibited under S.36A(1) of the CA 1987, there are basically three conditions to be met, i.e. the TPM that the defendant intends to circumvent must be one that (i) is applied to a copyright work, (ii) is used to protect the copyright work from exploitation but not for other purposes, and (iii) is used to restrict acts in respect of the copyright works which are not authorized by the copyright owner or permitted by law.
 S.36A(3) of the CA 1987 prohibits a list of ‘trafficking activities’ relating to circumvention device or technology, which includes manufacture for sale, sell in the course of business, distribute for purposes other than in the course of a business to such an extent as to affect prejudicially the copyright owner, and offer to the public any service relating to such technology.
 S.1201(e) of the 17 USC deals with exception of law enforcement, intelligence and other governmental activities.
 S.296ZB(3) of the CDPA 1988 provides law enforcement in the interest of national security.
 S.116AO(2)-(6) of the Australian CA 1968 provides for exceptions such as interoperability, encryption research, computer research testing etc.
 S.1201(a)(2) of the 17 USC provides, ‘No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that — (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.’
 S.296ZD(1) of the CDPA 1988 provides that ‘this section applies where — a person manufactures, imports, distributes, sells or lets for hire, offers or exposes for sale or hire, advertises for sale or hire, or has in his possession for commercial purposes any device, product or component, or provides services which — i) are promoted, advertised or marketed for the purpose of the circumvention of, or (ii) have only a limited commercially significant purpose or use other than to circumvent, or (iii) are primarily designed, produced, adapted or performed for the purpose of enabling or facilitating the circumvention of those measures’.
 S.10(1) of the Australian CA 1968 defines circumvention device as device, component or product (including a computer program) that: (a) is promoted, advertised or marketed as having the purpose or use of circumventing the technological protection measure; or (b) has only a limited commercially significant purpose or use, or no such purpose or use, other than the circumvention of the technological protection measure; or (c) is primarily or solely designed or produced to enable or facilitate the circumvention of the technological protection measure, which is similar to S.36A(3) of the CA 1987.
 S.261C (1)(c) of the SCA 1987 provides, ‘no person shall offer to the public or provide any service which — (i) is promoted, advertised or marketed for the purpose of circumventing the technological measure; (ii) has only a limited commercially significant purpose or use other than to circumvent the technological measure; or (iii) is performed primarily for the purpose of circumventing the technological measure’.
 Johansen, A. G. (2019, Apr 23). Are VPNs legal or illegal? Norton. Retrieved from <https://us.norton.com/internetsecurity-privacy-are-vpns-legal.html>. Site accessed on 20 May 2020; See also Parkyn, J. (2020, Nov 26). Are VPNs Legal? Your Rights to Using VPNs Explained. Tech.co. Retrieved from <https://tech.co/vpn/are-vpns-legal>. Site accessed on 7 Jan 2021; See also WhatIsMyIPAddress.com. The Internet Isn’t Safe. That’s Why You Need a VPN. WhatIsMyIPAddress.com. Retrieved from <https://whatismyipaddress.com/vpn>. Site accessed on 20 May 2020.
 Agfa Monotype Corp v Adobe Systems 404 F Supp 2d 1030 (ND III 2005).
 S.1201(b)(1)(B) of the 17 USC prohibits the trafficking of circumvention tools of copy control TPMs that ‘has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof’.
 See footnote 61 above.
 See footnote 61 above, 1039-1040.
 PlayStation Computer Console  ECDR 18.
 See footnote 12 above. ‘Geoblocking enables rights holders and intermediaries to segment the Internet into different markets and charge different prices (or offer different services) to consumers based on their location. This facilitates geography-based price discrimination. While the original purpose of copyright was to prevent copying, geoblocking allows rights holders to control copying and the distribution of copyright material. Copyright, exclusive licensing and geoblocking can work together to further strengthen the ability of rights holders and their intermediaries to control distribution and thereby price discriminate.’
 Nintendo Co Ltd v Console PC Com Ltd  EWHC 1458 (Ch).
 See footnote 32 above.
 S.36A(2) of the CA 1987 provides exceptions to S.36A(1) for the purposes of programs interoperability; research on encryption technology; computer or system or network security; protection of personal data; law enforcement, national security or performance of statutory functions; library, archive or educational institution’s act in deciding on acquisition of copyright works.
 See footnote 17 above, s 36A(2)(b).
 Universal City Studios v Reimerdes 111 F Supp 2d 294 (SDNY 2000).
 See footnote 71 above, 322.
 RealNetworks Inc v DVD Copy Control Association 641 F Supp 3d 913; 2009 US Dist LEXIS 70503.
 Note: although the direct circumvention of copy control TPM is not prohibited under 17 USC, the trafficking activities in relation to circumvention of such TPM is still prohibited under the code.
 See footnote 67 above.
 See footnote 19 above, 188, 6.083.
 See footnote 19 above, 188-189, 6.084.
 Australian Government Productivity Commission. (2016, Sep 28). Intellectual Property Arrangements: Productivity Commission Inquiry Report No 78, 64. Retrieved from <https://www.pc.gov.au/inquiries/
completed/intellectual-property/report/intellectual-property.pdf>. Site accessed on 20 May 2020.
 See footnote 12 above, 503, 519.
 See footnote 78 above.
 See footnote 12 above, 503, 507.
 Saez, C. (2014, May 8). WIPO Director Gurry Speaks On Naming New Cabinet, Future Of WIPO. Intellectual Property Watch. Retrieved from <https://www.ip-watch.org/2014/05/08/wipo-director-gurry-speaks-on-naming-new-cabinet-future-of-wipo/>. Site accessed on 20 May 2020. ‘For as long as it is easier to get content illegally than it is to get it legally, there is an encouragement to piracy.’; See also Yu, P. K. (2012). Region codes and the territorial mess. Cardozo Arts & Ent. LJ, 30, 187, 235-236. ‘A . . . group of viewers turn to unauthorized streaming sites on the internet, even though many of these viewers would have been willing to pay a monthly subscription fee in the first place.’
 Yu, P. K. (2017). A seamless global digital marketplace of entertainment content. Research Handbook on Intellectual Property in Media and Entertainment, 265–289, 268. ‘[T]hird-party subscription-based services, such as My Expat Network, have provided foreign television programming to paying subscribers.’; See also Trimble, M. (2011). The future of cybertravel: legal implications of the evasion of geolocation. Fordham Intell. Prop. Media & Ent. LJ, 22, 567.
 Woo, S. J. M. (2017). Geoblocking, VPN, and Copyright. Sing. L. Rev., 35, 66, 101, 102.
 See footnote 12 above at 503, 508.
 Yu, P. K. (2017). A Spatial Critique of Intellectual Property Law and Policy. Wash. & Lee L. Rev., 74, 2045, 2064. ‘Territoriality is the bedrock principle of the intellectual property system, whether the protection concerns copyrights, patents, trademarks, or other forms of intellectual property rights.’
 See footnote 12 above at 503, 506.
 See footnote 17 above, s 36A.
 UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH (C-314/12)  Bus. L.R. 541.
 GreenBerg, J. (2016, Jan 16). Netflix's VPN Ban Isn't Good for Anyone — Especially Netflix. Wired. Retrieved from <https://www.wired.com/2016/01/netflixs-vpn-ban-isnt-good-for-anyone-especially-netflix/>. Site accessed on 10 May 2020.
 Van Der Sar, E. (2015, Jan 3). Netflix Cracks Down on VPN and Proxy “Pirates”. TorrentFreak. Retrieved from <https://torrentfreak.com/netflix-cracks-down-on-vpn-and-proxy-pirates-150103/>. Site accessed on 10 May 2020.
 Russon, M. (2016, Jan 18). Netflix blocking VPNs: Everything you need to know about the fight to stop you seeing US content. International Business Times. Retrieved from <https://www.ibtimes.co.uk/netflix-blocking-vpns-everything-you-need-know-about-fight-stop-you-seeing-us-content-1538255>. Site accessed on 10 May 2020.
 See footnote 93 above.
 See footnote 17 above, s 36.
 See footnote 31 above.