In 2015, the European Union Intellectual Property Office (EUIPO), through the European Observatory on Infringements of Intellectual Property Rights, commissioned a research study on business models used to infringe intellectual property rights (IPRs). The initiative is envisioned as an independent data-driven study that will assess and analyse specific techniques used to facilitate online IPR infringements on a commercial scale.
The aim of this independent research is to provide an overview of different infringing business models, assessing how they function, how they are financed, how they generate profits for their operators, what kinds of content they disseminate and how large their user bases are. The study shall provide enhanced understanding to policymakers, civil society and private businesses. At the same time, it will help to identify and better understand the range of responses necessary to tackle the challenge of commercial scale online IPR infringements.
This report is the result of Phase 1 of the research study and will be followed up during 2016 by Phase 2. The aim of Phase 1 of the project was to make an overview of the different existing online business models infringing IPRs.
It is apparent from the analyses of the identified business models that the operators that are engaged in IPR-infringing business activities are using a wide variety of business models. A number of the online business models infringing IPRs are based on generally applicable legal online business models, such as the operation of Business-to-Business (B2B) and Business-to-Consumer (B2C) websites, listings of products on third party marketplaces, streaming services and affiliate marketing. For such business models the revenue sources also appear to be the same whether they are direct sources such as sales revenue or indirect revenue such as pay-per click fees or income from providing advertising space.
The online business models infringing IPRs differ from non-infringing models in the way that they are often clearly deceptive to the customers, since the operators purport to be legitimate providers of genuine legal goods, while the goods they offer are in fact IPR-infringing. Sometimes the deceptive nature of the business model is connected to distinctively fraudulent activities, phishing and dissemination of malware. In some instances, the infringement of the IPR is carried out completely openly, but the business model is however still deceptive towards the customers due to dissemination of malware.
Specific online business models have been developed and intentionally designed to benefit from infringement of IPRs. Such online business models include in particular those models that gain their revenue from phishing e-mails, dissemination of ransomware or other fraudulent activities. But also the widespread registration and use of domain names that contain third party trademarks, and which are used for a variety of purposes including parking sites, that generate pay per click revenue or are used to redirect internet traffic to the registrants own website, can be characterised in this way.
It also seems that an increasing number of providers of IPR-infringing goods and services are expanding or even moving their businesses to the darknet or are offering their services on both the open and the hidden part of the internet. This development will have a serious impact on the possibilities to counter IPR-infringements through the existing means of enforcement, as the providers are more anonymous and cannot be easily identified. In addition, the ‘notice and takedown’ procedures which are widely used by the operators of marketplaces and other internet service providers on the open part of the internet do not appear to be applied to the same extent on the darknet.
In cases where it is possible to identify and take enforcement action against a provider of an IPRinfringing activity, the study shows that a number of the analysed business models are based on concepts that make it easy for the providers to be able to continue their businesses even in the event that an enforcement action has been initiated. In some of the business models the providers openly state to their customers that they have included resilience against enforcement actions in their businesses model.
Finally, it can be observed that the borderline between IPR-infringing activities and traditional cybercriminal activities is becoming blurred. Phishing e-mails may thus contain ransomware, which is malware that is used to infect and ‘hijack’ the recipient’s computer, whereby the sender demands a ‘ransom’ in order to release malware from the computer, or other malware variations. Spoofing websites and phishing e-mails may also be used deceive the recipients into disclosing private access codes or passwords to bank accounts or credit card details, previously often obtained through illegal hacking.