Why Section 230 really matters to business

1280px Illustration of 1904 patent for catcher protector

Protection doesn’t have to be attractive to be effective.

There’s a lot of discussion in the US political arena about Section 230 of the Communications Decency Act (CDA). Much of it is, frankly, wrong, but I’m not here today to tell you about why I think that to be the case. I do want to tell you that, if you have an online business and you accept any content whatsoever from third parties, Section 230 offers critical protection to your business and you need to consider whether you want that critical protection to disappear.

When the internet was young, there was a period where the liability of online service providers for third party content was unclear. One of those, CompuServe, decided on a completely hands-off approach, taking absolutely no steps to control what was posted by whom, in large part to avoid liability for being in any way involved. Another, Prodigy, differentiated itself by moderating content to ensure that “bad” content didn’t reach its users. Both were sued, and CompuServe’s hands-off approach was vindicated, whereas Prodigy’s approach was not. From that point on the common wisdom was that, to avoid liability, platforms should remain completely neutral and not meddle in any way with third-party content. Any moderation of third party content at all increased the risk of liability.

As you can imagine, a completely unmoderated internet rapidly began to move from interesting source of information to unmanageable dumpster fire. In an effort to reign things in, particularly with respect to pornography and defamation, Congress passed the Communications Decency Act (CDA). And now the internet is free of both …

That’s not what happened. What actually happened is the CDA was found mostly unconstitutional, but Section 230 of CDA survived. Section 230 states that “interactive computer services” would not be treated as the “publisher or speaker” of a third party’s content. In other words, the law made it safe for companies to allow customers or others to publish content on their websites or using their systems, and ensured that the company wouldn’t be held responsible for anything which was said (for the most part). That clearly benefits the YouTubes and Facebooks of the world, but it also benefits anyone who allows third party content onto a website.

For example, I’m responsible for anything I write on this blog, for better or worse. This blog allows comments, however, which means that third parties can effectively post their content to my website. Under Section 230, if my son decides to comment on my blog to say something nasty about the famous soccer player Cristiano Ronaldo, Mr. Ronaldo can sue my son for defamation but he can’t sue me (at least not successfully). Equally important, when I make the decision to delete my son’s comment I can do so without losing the liability protection Section 230 provides. In a pre (or post) Section 230 world, that’s not necessarily going to be the case, and I’d have to seriously consider turning off the ability to comment. The same applies to almost any website with interactive features, from comments to customer ratings, discussion boards to help boards, and pretty much any other online content which is sourced from more than one person.

There are limits on the liability protect Section 230 offers, especially with respect to intellectual property, but it’s really the law which has allowed the internet of today, with all of its warts, to come into being. Without Section 230, much of that would become fraught with risk. That risk would force many providers to shut down those interactive features altogether, and companies would lose a very critical source of information and communication about their customers and products. Realistically, it would also increase the near-monopoly power of those large service providers who can afford to wrestle with the liability issues which would arise, like Facebook and Google.

Section 230 isn’t perfect, no law ever is, but unless you want to lose the ability to interact with your customers online it’s extremely important.

EFF has a brief article on CDA Section 230 which explains in some more detail the protections offered by Section 230. Verge has provided a summnary of the history of Section 230 and the potential harms of some of the proposed changes. As always, for details on Section 230 and an excellent treatment of some of the specific issues outlined above see Professor Eric Goldman’s Technology and Marketing Law Blog

Think you can’t be sued in the US?

Older seated man with younger standing man

“I’m telling you Dad, you shouldn’t use AWS for your new website.”
It should come as no surprise that the internet has thrown old rules of jurisdiction (a fancy word for where a lawsuit can successfully be brought) into question. Courts are – somewhat understandably – hard put to determine when businesses from far-flung countries should be hauled into court in the US, particularly given the complexity of the technology and the huge numbers involved when dealing with successful websites.
Professor Eric Goldman reported recently on a case which could mark a watershed change in US court’s jurisdiction over foreign defendants if it were to become the norm. The case involves copyright infringement, the source of many not-great legal rulings, and appears to stand for the proposition that targeting advertising to the US plus the use of US service providers may be sufficient to confer jurisdiction in the US. Given the premier position of many US service providers in the internet infrastructure, that’s a big deal.

In short, the court held that the owner of two websites based in Russia may be subject to jurisdiction in Virginia because the defendants: (1) targeted a significant amount of marketing to Virginia (which is relative, since it was only about 0.2% of the defendant’s worldwide audience), (2) used a US-based registrar and cloud services provider, and (3) registered a DMCA agent with the US Copyright Office. While the defendant in this case may not be an overly sympathetic character, that logic could be used to subject almost any ad-driven multinational website to jurisdiction in the United States, particularly given that the volume of business in Virginia, while significant, was a very small fraction of US traffic (to say nothing of total traffic). It’s definitely a red flag for companies providing services from outside of the US who aren’t intentionally targeting US consumers.
For international companies looking to stay out of the reach of US courts, there are definitely a few lessons to be learned here:

  1. Know where your ads are displayed. Many companies outsource a lot of their social media targeting, understandably, but if you want to avoid US jurisdiction you need to keep an eye on where your ads are being shown and, how they are being customized for a particular market. Courts are clearly considering these issues so it’s important you aren’t wasting advertising spend on markets you may not want to be in, for legal reasons or otherwise. You may decide to take the risk of selling in the US, but it should be a knowing decision rather than something which simply happens.
  2. Use non-US service providers. Although US providers like Amazon and Google may be ubiquitous, they may not always be the best choice. If you want to reduce your contacts to the US this is probably the easiest place to start, since there are domain name registrars and cloud service providers all over the world. They may not be as well known, but unless you absolutely must use a US provider it’s worth taking a look. As a bonus, you might also increase your compliance with GDPR and other international laws which US providers aren’t terribly keen on following. Your non-US customers might actually appreciate it.
  3. Reconsider the DMCA. This is a more difficult decision to make. Whatever its faults, the DMCA actually protects online companies from liability for content uploaded by customers, so it’s generally better to have a registered agent and follow the DMCA notice and counter notice regime where possible. That analysis might change, however, if the cost of that protection is general jurisdiction in the US for unrelated lawsuits.

It’s almost impossible for online marketers to avoid all contact with US providers, but it’s important to understand some of the risks which may accompany those providers and eliminate those risks where possible.

If you want more detail on this case, check out Professor Goldman’s post. As an aside, if you are active in internet marketing and the law, you really need to be reading that blog on a regular basis anyway (although keep checking back here as well!).

Image from Wikimedia.

Is your website ready for prime time?

Medieval monk sitting at a writing desk

Time to get to work!
Since we’re all at home trying to figure out how to make money while away from the office or, even worse, bricks-and-mortar store, this is a good time to think about updating your website. Many businesses with an online component are holding on pretty well under the circumstances, and some are even thriving, possibly at your expense. Here are a few ideas to get you started!

  1. Update your information. Ok, this one is pretty obvious, but it’s important that people know how to get in touch with you, whether you’re open or not, and how they can still buy your services. If they weren’t able to buy your products online, that probably needs to change. Strictly speaking, that’s not a legal issue, but it’s probably the most important issue you have to deal with if you’re going to keep your business afloat!
  2. Update your Terms and Conditions (or Terms of Use). No matter what you call them, your terms of service lay down the ground rules for your online presence, so it’s critical that they are binding on your customers and that they accurately spell out what you are and are not responsible for. If you don’t have one, you need one, especially if customers can order products or services via your website. This is important, so there will be more detail in a later post, but for now just make sure you have one!
  3. Update your Privacy Policy. There was a time when privacy policies, like terms and conditions, were optional, but now it’s pretty much a must-have. Like terms of use, there are many different privacy policies to be found online, it should accurately state your real policies and processes, so yes, you’ll have to read and revise it accordingly. Unfortunately, privacy policies, even more than terms of use, need to be customized for your audience under state, federal and international law, so if you are selling financial services, or targeting children, or Europeans, or selling the data of California residents you’ll need to customize your privacy policy accordingly. We’ll deal with the alphabet soup that is privacy policies (or “statements”) under the GDPR, CCPA, and other laws later, but for now you still need one.
  4. Register a DMCA Designated Agent. There’s a lot wrong with copyright law these days but, for website owners, the Digital Millennium Copyright Act (DMCA) isn’t one of those. Basically, if you follow a few simple rules and procedures you can be sure that you won’t be held liable for copyright infringement by a contributor to your website. That’s any contributor, from the one-time guest post to a regular contributor or even customers who upload photos and other content to your website. I’ll outline those DMCA rules separately, but to start with you need to register a DMCA agent with the United States Copyright Office. It’s very easy, very cheap, and could save you a ton of money if it’s ever needed. A DMCA notification and takedown policy on your website is a good idea, but not strictly necessary. You can even put it in your terms of use if you’d like. As for those rules, I’ve covered those in a separate article, but you really won’t need them unless and until you receive your first notice, so for now just get yourself registered.
  5. Improve compliance with the Americans with Disabilities Act (ADA). To generalize wildly, the ADA mandates that all “places of public accommodation” be made accessible for the disabled. Unfortunately, it’s very unclear how that applies to websites, but given the number of lawsuits filed under the ADA in recent years you pretty much have to assume it does. While there’s no black-letter law on what constitutes compliance with the ADA, the general consensus is that website owners need to comply with a standard called WCAG 2.0 AA. While that standard is way too complex to outline here, and there’s no single tool to make you website compliant, you can start with a few simple tasks like making sure there’s alternative text for all images, adding text for any videos or audio presentations, adding text for form labels so it’s easy to tell what goes in each field, and making sure all pages and links have headings or descriptors which accurately describe the content. Focus on the real meat of your website, since it’s more critical that the disabled be able to access your services than it is for them to know that you also like to hike the Andes when you’re not at work.
  6. Cookie Policy. You may or may not need a cookie policy. They are particularly necessary when selling to Europeans, in which case you probably need an opt-in mechanism as well (like those annoying banners which pop up all over the place when you are browsing certain websites). The CCPA is a little less antagonistic towards cookies, but even under CCPA a disclosure at the point of collection, ideally with an opt-out mechanism, is the minimum for legal compliance. At the very least, make sure your privacy policy outlines where and how cookies are used, especially if you are using Google Analytics or third party ads, since that’s relatively easy. Adding banners and opt-ins may require the assistance of your web developer.

That should be enough to keep you busy for a while!

In all seriousness, though, just pick one or two of the above items and get started – many of those items are pretty straightforward unless your site is very complicated, and some (like registering a DMCA agent or taking some steps to make your website more ADA compliant) could save you tens or even hundreds of thousands of dollars in legal fees and damages in the future.

Drafting a Temporary Work From Home Policy

There are many differences between the working-from-home which is required during a health emergency and normal telecommuting. For most companies which are not virtual, the telecommuting policy is intended for folks who want (or at least expect) to work at home and who are presumably properly equipped to do so. Those policies are also underpinned by the notion that the telecommuter has an appropriate space to work in and can come to work if he or she wants to. Employees who don’t normally telecommute aren’t used to working at home, and may have a difficult time drawing the line between work and home life. They also aren’t necessarily thinking about the difference between their normal home activities and work. Finally, if you are making exceptions to your normal business rules and processes just to keep things up and running, your employees need to understand that those are exceptions rather than the rule.
With that in mind, you need to communicate your expectations for employees who are working for home clearly, using a temporary or emergency teleworking policy. Below are some of the most important considerations for such a policy.

  • Wages and Hours. First, and perhaps most important, you need to set expectations with respect to hours worked. As noted above, some employees will work too little, but others may work too much, leading to unexpected overtime costs and possible ill will. Some employees will be expected to be at their desks during normal working hours but for many, with kids at home and other distractions, will require more flexibility than that. If your business needs permit, try to offer that flexibility, while reminding employees of any limitations. One compromise which can work well is the concept of “core time,” in which you provide a set of hours where everyone is expected to be available, but allow the employee to flex the remaining hours of the day accordingly. So, for example, you might ask all employees to be available and working every day from 10:00 am to 2:00 or 3:00 pm, but allow them to flex their time outside of that range so they can help with homework, cook, or whatever.
  • Confidentiality. You’ll want to remind employees that company information should be kept confidential, and that documents and other confidential materials should be properly stored away from prying eyes at home. Most kids aren’t espionage agents for a foreign power, but kids can and will read stuff which is lying around, and if it’s interesting in any way they may well talk about it with friends.
  • Expectation of Privacy. This probably deserves its own post, but this is probably a good time to remind employees that their use of company resources may be monitored, even if the laptop is on the dining room table at home. That’s particularly critical for employees who are using their own equipment, since they may not be thinking of “privacy” the same way they would at work.
  • Cybersecurity. On a related note, employees using their own equipment should be reminded to use good security practices, including the use of encryption and virus protection as well as the use of any company-supplied network access or other tools. This is also a good place to remind employees about the proper use of any software you’ve allowed on a temporary basis, such as remote file storage or messaging or video apps. If you’ve set up company accounts with cloud providers for things like Dropbox or Google, remind employees that they are required to use the company-supplied accounts rather than their own accounts, and that all substantive discussion of work topics should be done using tools which ensure that they are preserved going forward.
  • Office Supplies. The policy should also advise employees as to how they are to obtain or replenish any office supplies which are needed. Should they order directly and request reimbursement or use a company account? Will the company handle orders and deliver to the employees house? It’s better to address these issues before the $200 expense report for office supplies is on your desk for payment.
  • Disclaimer of Liability. Finally, you’ll want to disclaim liability for anything which happens at the home outside of work hours. After all, worker’s compensation disputes get tricky when the workplace is the home, especially on a provisional basis, so it’s important to draw boundaries between the company’s responsibilities and the employee’s.

Finally, you should remind employees that all other conditions of work still apply. After all, work from home is still work, whether any of us like it or not.

I’m sorry, we’re all working from home now?

John Shedwick Development Houses 01

So, depending on where you are, a week or two ago you sent everyone home with a pat on the back and instructions on how to work remotely, and a lot of hopes for a speedy return. Some of you were pretty well prepared, since you already have some telecommuters or maybe you are already partially virtual, but most of you (us!) really weren’t. Sure, you had some tools in place for remote work, but more for occasional use, and certainly not for all employees and weeks at a time.
For many small businesses, just getting anything workable in place has to be considered a victory, and most are probably just relieved that the number of fires to put out is decreasing. Given that this working from home situation is likely to last for a while, however, you may want to take a look at what you’ve done and make some improvements before you settle in to maintenance mode. After all, having an entire company performing almost all business functions at home is a lot different than most normal telecommuting scenarios. Here are a few thoughts to get you going.

  1. Put a policy in place. If you don’t have one, put some sort of temporary telecommuting policy in place, which outlines your expectations. Even if you already have a policy, you may need or want to deviate from that during these extraordinary circumstances, because things are genuinely different now. After all, some workers will be working on their own devices, others on company computers, and some from paper. Some will work too little, but some will work too much as well, and either can cause business and legal issues. Either way, you’ve got to set our your expectations and requirements or your employees won’t know what they are.
  2. Keep the team together. Even a close-knit group begins to fall apart with separation, so you’ll want to consider ways to keep the team connected. Sure, you can have a regular staff meeting, and your colleagues can e-mail or call, but that’s a little different than the around-the-water-cooler camaraderie they have at work. Normally, many IT departments shy away from (or forbid) messaging services like Skype or Slack, but used correctly those tools can be an excellent way to keep your colleagues in touch with one another (and you) while everyone is stuck at home. Used correctly is key here, so employees need to understand that substantive discussions about a project or a case need to be in e-mail or some other tool where they can be tracked. Instant messages like Skype are for non-substantive discussions and, yes, venting about your ten year old taking your laptop for history class while you try to work on your aging smartphone.
  3. Control your files. Let’s face it, no matter what kind of system you have in place, when a whole family is busily home-schooling and working remotely, that puts a premium on bandwidth and hardware accessibility in the household. That means your employees are making do as best they can to get the work done, and in order to do so, they may be saving files on their home computers, on Google Drive, or using a personal Dropbox or Box account. Normally, that may not be ok, but unless you were completely prepared for people to work at home you need to accept and acknowledge that it’s happening, and take control. If your folks need Dropbox, get a business account with backup and auditing functions, so you know where your files are and that they are backed up. If Google is the tool of choice, get a G-Suite account and have everyone work on the company account rather than on tens or hundreds of different personal accounts over which you have no control. Remember, you’re in emergency mode here, so you’re going to have to sacrifice the ideal for “good enough,” at least until everyone comes back to work. Fortunately, most of these solutions are quick to implement, inexpensive, and just as easy to stop as they were to start (with one caveat, which we’ll get to below).
  4. Control your files, part 2. Some employees have paper files, which are a whole different issue, especially when four people in a family are all working around the same kitchen table. Your policy will discuss that (more on that in a different post), but there are simple steps to make things easier for your employees. Start by providing employees with a “care package” of a bankers box and a few hanging folders, since most of them didn’t think to bring those things home when this adventure began, and follow up with folders or whatever your employees need to keep things organized. Otherwise, you may find that your important project file contains crayon drawings of Garfield the Cat but not that critical memo you’re looking for.
  5. Consider collaboration tools. There are lots of cloud-based tools out there to allow employees to collaborate on tasks and projects, which are both a boon for group work from different locations and a headache for IT. Most companies take a lot of time and energy to evaluate those tools before implementation, given the potential for misuse or data loss. Again, however, these are not normal times, so if necessary be prepared to look into tools which allow better collaboration quickly, particularly if your employees are already using them. Better to have some measure of control over the tools your team is already using than to tell them to stop while knowing they won’t (or when they can’t get their work done without them).
  6. Get ready for the return. After one or two months of working at home, some of your employees may be thrilled to be back, but for others the cat will be out of the bag – they now know they can indeed work at home, and they may like some of the “temporary” tools you brought in during the crisis. Be prepared to listen and discuss those expectations, and to implement any tools or processes you’ve learned where it makes sense to do so. After all, there’s a whole generation of folks coming up for whom working anywhere and on any device is completely natural, so why not use this experience to get a head start on the competition.

Image by Shuvaev

No more DIY in the US for Foreign Trademark Registration

Patria trademark registration from 1892

Courtesy of our friend David Copland, a trademark lawyer based in Dresden, Germany:

Amendments to the Trademark Rules of Practice published in the U.S. Federal Register of July 2, 2019 require as of August 3, 2019 all foreign trademark applicants, registrants, and parties to a TTAB proceeding are required to use a U.S.-licensed attorney for filing any trademark-related submissions to the U.S. Trademark Office.  

Previously all trademark filings could be made directly by a foreign individual, or by a member of a foreign limited corporation, a partner of a foreign partnership, or an officer of a foreign corporation.  Under the prior rules, foreign counsel could “ghost write” filings which foreign trademark owners could submit directly.  This will no longer be possible. 

The Madrid system does not allow for designation of a U.S. attorney for applications submitted through WIPO’s International Bureau.  Consequently, initial applications filed through the Madrid system need not be filed by a U.S.-licensed attorney.  However, any further submissions to the U.S. Trademark Office related to a Madrid application, such as responses to office actions or registration maintenance filings, will require the foreign trademark owner to have a U.S. attorney.

Other than an initial application filed under the Madrid system, foreign trademark owners must be represented by a U.S.-licensed attorney for all U.S. trademark filings after August 3.

For more information see the USPTO Website or give us (or David) a shout. 

DMCA – After the counternotice

Knight without arms

Sometimes throwing down the gauntlet does more harm than good

Once the counter notice is sent things get tricky – many customers think that, having sent the counter notice, the materials can be returned to the website immediately, but that’s not true. The materials must remain offline for ten days after receipt of a valid counter notice, whether they are infringing or not. This provision is definitely favorable to copyright holders, and annoying to those who have to work around the removal for that ten day period. That waiting period can be particularly impactful when the content is timely, since that ten day window can be just enough to ensure that the content is irrelevant by the time it can be returned to the website. Not surprisingly, we see a lot of questionable DMCA notices during tight political races.

Even more important to remember, if you’re the one sending the counter notice, is that you are essentially throwing down the gauntlet and daring the other party to sue you, since that’s the only way to prevent the return of the materials to the website. Before sending that counter notice, you might want to consider long and hard whether (1) the other party is likely to sue and (2) whether you can afford to defend yourself (and deal with months or even years of legal aggravation) just so that you can use that photo of a kitten cuddling with a hamster on your blog. All kidding aside, lawsuits are painful and expensive, and potential damages for copyright cases can be astronomical, so sometimes it’s better to fold even if you are in the right.

Having received the valid counter notice, the hosting provider will forward it back to the sender of the original notice, which starts the clock ticking on the ten day waiting period. At that point the copyright holder has to either sue or accept that the materials will be put back online. While the law tends to be on the side of a valid copyright holder, the same caveats as above apply – lawsuits are an expensive and messy way to resolve a dispute, and collecting on a large judgment from a blogger with an audience of his mother and three of his best acquaintances may be more trouble than it’s worth. Just today I received a withdrawal of a counter notice against a very large company, which strongly suggests that, rather than sue a small website operator, the company reached out and came to an amicable resolution of the copyright dispute.

That being said, sometimes a lawsuit is the only way to ensure the continued removal of the material. Once the lawsuit is filed, the provider of the notice must provide proof of the lawsuit to the web host, who will forward it to the customer. At that point the web host’s job is done, at least until the lawsuit is complete months or years down the line.

DMCA – I’ve sent a notice, so now what?

Once you’ve sent your DMCA takedown notice, the host will likely do one of three things:

  • Ignore the notice
  • Ask for additional information or for missing wording
  • Forward the notice to the customer and request that the materials be removed

The first option, ignoring the notice, is typically a bad idea for hosts given the imbalance between statutory damages and the cost of simply removing the materials. Unless the notice is manifestly inaccurate or abusive, most hosts will at least ask for additional information.
Typically, when my clients ask for more information it’s for one of two reasons: either the materials haven’t been identified in a way which allows them to be verified, or the notice is missing some of the “magic words” which Congress, in its infinite wisdom, decided are necessary. Most hosts will want to at least have some sense that the materials in question are on the website and match the allegedly infringing materials, so make sure the links are precise enough to allow them to do that. And, for heaven’s sake, just include the “good faith” and perjury language – whether you like it or not, it’s a requirement under the law, so it needs to be there.
Typically the host will give the customer a few days to remove the materials – according to the statute, materials must be removed “expeditiously,” but as far as I know that hasn’t been litigated, so no one knows exactly what that means. It’s probably safe to say that up to three days is pretty safe, a month would not be, but where that line is drawn probably depends on the specific facts of the situation. A small host with limited staff would probably get a little leeway on a late removal, whereas Google or Yahoo might not.

DMCA – A few things to remember

In the last post, I told you how to prepare a DMCA Takedown notice, but I also mentioned a few caveats. Some of those are:

  • As I’ve said before, make sure you have all of the elements of the notice. It’s really not that hard.
  • In a similar vein, don’t lard up the notice with a ton of extraneous language. Lawyers in particular love to do this, but typically it just makes things more complicated for anyone who has to read it and slows the process. Often, the longest letters also leave out critical elements, which means they are actually less effective than a straightforward, simple notice. No one needs the back story – if the item is infringing we don’t need to know that the website belongs to your Uncle Max, who snuck the photo from your grandmother’s basement.
  • The DMCA is a pretty easy way to take down content which is copied, but that also makes it tempting to use for items which you want removed but for which you do not actually have the copyright (e.g., that unflattering photo of you which was actually taken by someone else, or that photo in your grandmother’s basement which you probably didn’t take). You can be held liable for false or inaccurate DMCA notices, so keep that in mind.
  • The DMCA is not for trademark complaints, although some service providers ask for a trademark notice which incorporates some of the elements of the DMCA. Don’t be surprised if a DMCA notice for a trademark matter doesn’t result in an immediate takedown (or any takedown at all).
  • While DMCA notices are most often sent to web hosting companies (and Google), anyone who has third-party content on their website, from comments to contributions, can and should register a DMCA agent. Before sending a cease and desist to a website, consider whether the content is actually the website owners and, if not, check to see if they have a DMCA agent
  • Unfortunately, people intent on copying online materials will often change providers as soon as the first notices are received, so before sending that angry followup to the host make sure the materials are still hosted with them

Unfortunately, as many frustrated writers and photographers have found, combating copyright infringement online resembles a game of whack-a-mole, so you may have to prioritize your copyright battles accordingly.
Next, we’ll find out what happens after your notice arrives at the web host.

DMCA – The takedown notice

DMCA removed notice

Since we’re on the topic of the DMCA, I thought I’d put together a primer on the DMCA takedown and notice procedures. As I mentioned in my last post, the takedown procedure offers a quick way for copyright holders to have their materials taken offline while reducing the risk for internet hosts and service providers – with caveats. We’ll cover the caveats later, but for now we’ll focus on the takedown notice, which notifies the host or ISP that there is infringing material on a website which they host. The takedown notice is addressed to the service provider, not the actual infringer, and will be forwarded by the service provider to its customer.

The takedown notice must include the following:

(i) A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

This is pretty easy – anything which you intend to be a signature can be your signature. A scan will do, your name typed and preceded by /s/, just your name, or, in the right circumstances, even an “X” will do. As long as it can be construed as a signature it will probably suffice.

(ii) Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.

This is the stuff you want removed, typically in the form of a URL leading directly to the infringing material. If there are too many to list, you can reduce it down to a reasonable sized list, but remember the host should be able to find those materials reasonably quickly – you can’t just point to the home page and say “it’s here” unless the entire home page is a copy of your materials. If the infringement is only a small portion of the page or site, consider providing a pdf with the infringing materials circled or highlighted.
Don’t list your own copyrighted materials here, or you risk having them removed. That’s like what my brother did a few years back when he called the city to have a car towed and inadvertently reported his own car, then in an effort to correct it he reported his car again. He then had to move his car. Don’t do it.

(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.

In most cases, this is where you’ll provide links which show your materials in their original location. Again, a host should be able to look at the pages listed under (ii) then look at the list under (iii) and, without too much effort, see what is allegedly infringing. Use a list of URLs where needed, and an attachment showing the exact location of the original photo or text can be helpful where appropriate.
If your content isn’t online, provide enough information for the host to verify in some way that the materials are yours. I’ve seen links to books on Amazon, citations for published papers, and even scans of documents attached to DMCA notices – as long as the host has something credible to rely on it should suffice, and if it doesn’t they’ll likely let you know so you can supplement the notice with additional materials.

(iv) Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.

This should be pretty self-evident, but it should really be more than just a reply-to address in an e-mailed complaint. A DMCA notice with contact information which is intended to avoid disclosing the identity of the complainant may be ignored by some service providers.

(v) A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

These two requirements seem to confuse people, but in reality it’s easy (and required). You simply have to parrot these two lines in your notice, e.g. “I have a good faith belief …” and “The information in this notification …” Whether you think it makes sense or not, these two statements are required, and leaving them out (or creatively rewriting them) can render the notice ineffective.

Some people (often attorneys) feel the need to lard up their notices with everything from copyright registration information to all sorts of creative reservations of rights or nasty threats. None of that is necessary, and much of it is superfluous. If the notice is proper, in order to benefit from the immunity provisions, an ISP has to either remove the materials or ask for clarification (if certain elements are present but the notice is not entirely in compliance with the law). If the notice is non-compliant it can, and probably will, be ignored.